top of page

Are cyber-attacks a genuine concern for the construction industry?

It is a common misconception that because the industry doesn't regularly deal with personal data that it is not a target for cyber criminals. But unfortunately, this is not the case.

Person in construction uniform facing away

The sector holds valuable data, including supplier lists, customer information, and sensitive business details, making the impact of an attack severe. With the increase in technology adoption comes the increase in attack vectors for cybercriminals to take note of, and according to Nordlocker, the construction sector is now the most targeted industry from ransomware attacks.

Only 64% within the construction industry believe that cyber security is a high priority with only 20% of firms having board members responsible for cyber security (Cyber Security Breaches 2021). When, it comes to cybersecurity, even small companies are not immune. In the Eastern region one micro construction firm had 5 out of their 6 servers encrypted with Conti ransomware. They recovered within a couple of days but then found out that their removable media used for backups also was infected and that data had been stolen and was publicly for sale.

The average cost of a data breach currently sits at nearly four million US dollars. Imagine, for example, that your entire library of CAD drawings was encrypted and ransomed, or simply deleted. What would it cost to recommission and replace them all? Then, add the wide range of associated business interruption costs, such as delays to on-going projects and employee overtime. You then begin to see the true impact of a potential cyber incident.

What is an Incident Response Plan?

Unfortunately, the first time that an organisation discovers they need an Incident Response Plan often coincides with the realisation that they don’t have one.

The plan itself is simply a document containing the details of key personnel who you can contact if you are worried that you have been victim of a cyber-attack. It also contains key information to help you move through the various stages of containment and then recovery.

As can be seen in the below diagram you will start in the triage stage of the breach, trying to figure out what the scale of the breach is and the impact now and in the future.

graph of incident management and response

As a starting point we have created a template for you to start building your plan from. You can download it here. The template contains flowcharts and checklists as well as posters so that your team can see what actions they need to take should they be the first aware of a problem.

ECRC incident response plan template

Having a good response plan means that you are more likely to come through the experience more quickly and efficiently and with less of your systems exposed to the hack. And the responsibility for establishing and maintaining a plan is down to the business owner and not the managed service provider you use for your IT.

Like running fire alarm drills, you should also practice your incident response plan and make sure that covers everything that you need it to. The National Cyber Security Centre’s Exercise in a Box is an excellent starting point. This exercise will help you to check out how well you and your business can respond to a cyber-attack.

So, what should my company do now?

Here at the centre, we would advise you to do three things now

  1. Download your free incident response plan template here

  2. Join our community free today. You will be supported through implementing the changes you need to make to protect your business and your customers.

  3. We would also recommend that you speak to your Managed Service Provider and / or website company to discuss how they can implement cyber resilience measures on your behalf.

  4. Have a look at our construction company cyber guide that gives all kinds of hints and tips specifically for your sub-contractors.

Finally, we would recommend that you look at improving you overall cyber resilience through the free Little Steps pathway we provide to Cyber Essentials – the basic government backed kite mark standard for cyber security.

As a free member we will take you as far as the CE accreditation process. And remember that a company operating under Cyber Essentials processes is 99% protected either fully or partially from today’s common cyber-attacks. And if you want to pay for the assessment, we can refer you one of our Trusted Partners – all regionally based cyber security companies that can help you become accredited.

Reporting a live cyber-attack 24/7

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress), please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.

Reporting a cyber-attack which isn't ongoing

Please report online to Action Fraud, the UK's national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.

Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050).


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page