Are cybercriminals really interested in builders?

After all, the industry's focus is on physical work with bricks and mortar. Surely digital activity is fairly minimal and unlikely to attract cyber criminals - isn't it?

Image of male working on building site

Here on the Eastern Cyber Resilience Centre, we have seen that the construction industry has shown a significant reliance on technology over the last decade. There have also been seismic shifts in relation to project delivery and how organizations operate. From office operations to activities on-site, technologies such as cloud storage, email and smartphones are commonplace.


Digital tools, such as Building Information Modelling (BIM), are becoming increasingly commonplace at the design stage, along with technology such as 3D-printing, remote building monitoring systems, brick-laying robots, and other automated techniques. It is quite clear that the sector is unquestionably operating in a modern, digitized and connected way.


But as the industry progressively embraces modern technologies it cannot afford to ignore the corresponding risks.


If unmanaged, cyber risk ultimately threatens to outweigh the benefits gained from continued technological advances. It is a common misconception that because the industry doesn't regularly deal with personal data that it is not a target for cyber criminals. But unfortunately, this is not the case. The industry presents a wide range of attractive opportunities for cyber criminals.

Image of CAD machine cutting out

From controlling critical services, to the theft of trade secrets, there are many reasons that a construction sector organization could fall victim to cyber-crime. Tracking cyber incidents can be tricky, especially as a lot of incidents still go unreported. And while the construction sector may experience cyber-crime, unless a breach conforms to strict reporting requirements, the majority will not be publicised. This lack of knowledge-sharing can lead to underestimates of the true nature and scale of cyber exposures. If the industry is unaware of common vulnerabilities, it presents low-hanging fruit for cyber criminals.


The average cost of a data breach currently sits at nearly four million US dollars.

Imagine, for example, that your entire library of CAD drawings was encrypted and ransomed, or simply deleted.

What would it cost to recommission and replace them all?

Then, add the wide range of associated business interruption costs, such as delays to on-going projects and employee overtime.

You then begin to see the true impact of a potential cyber incident.


How are the Government helping?

Cyber Security for construction businesses graphic

The government and the Eastern Cyber Resilience Centre fully understand the critical place that construction fills within the UK and regional economy, and the vulnerabilities that the sector now faces. To meet these challenges, they have created a new sector specific guidance package which can be accessed here: Cyber security for construction businesses - NCSC.GOV.UK


This simple guidance package is the first-ever cyber security guidance aimed at UK construction industry issued by GCHQ’s National Cyber Security Centre


Due to online threats facing the sector, the NCSC advises firms that cyber security measures are as vital as wearing a hard hat on site.


Guidance has been launched in association with the Chartered Institute of Building and is aimed at small and medium-sized construction businesses


We fully support the guidance package and would recommend that all construction businesses take the time to read and it and carry out the activities recommend within.


But this is just the start of your cyber journey, and we would also recommend that you also look to adopt the Cyber Essential accreditation.


So, what is Cyber Essentials?

Cyber Essentials Logo

Cyber Essentials is a simple and effective Government-backed scheme, supported by industry experts and the Cyber Resilience Centre Network, which will help you put measures in place to protect your organisation, against a range of the most common cyber-attacks. This includes protecting against threats such as malware, ransomware, and phishing. Read more here: Cyber Essentials & Plus Training & Certification ¦ ECRC (ecrcentre.co.uk)


A company operating under Cyber Essentials processes is 99% protected either fully or partially from today’s common cyber-attacks.


What next?

The impact of a successful attack against your website or network can be catastrophic and lead to website downtime, loss of business and loss of reputation. In the worst cases it can lead to the closure of the business altogether. But all is not lost.


So, what can I do?

Here at the centre, we would advise you to do three things now

  1. Join our free core membership by clicking through to https://www.ecrcentre.co.uk/core-membership-sign-up. You will be supported through implementing the changes you need to make to protect your business and your customers through the free Little Steps pathway

  2. Read the Cyber security for construction businesses guidance - Cyber security for construction businesses - NCSC.GOV.UK

  3. We would also recommend that you speak to your Managed Service Provider and / or website company to discuss how they can implement cyber resilience measures on your behalf.

Further guidance & support

The Eastern Cyber Resilience Centre is a not-for-profit membership organisation, run by policing, with the intention of increasing cyber resilience of SMEs within the East of England.


You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiries@ecrcentre.co.uk or use our online booking system to make an appointment with one of our team.


Policing led – business focussed.

Reporting Cyber Crime Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.