top of page

Cybercrime risks are a building threat to construction businesses

As the largest industry in the UK, construction is now facing a hidden threat – cybercrime. It is now the fourth most targeted industry in the UK with 46% reporting attacks in the past year, up from 40% the year before.

As the industry quickly becomes more advanced in the way it works, with a greater reliance on remote systems, contractors and sub-contractors to architects, engineers and surveyors, all have access to IT platforms in a way that is unique to the construction sector, and this leaves them open and vulnerable to attack.

And yet, according to the Department of Department for Culture, Media and Sport’s Cyber Security Breaches Survey 2021, construction didn’t fare as well as other sectors when it comes to how much importance it attaches to cyber security, with construction at 64% versus 77% of businesses overall.

And only 5% of construction firms give staff awareness training.

Detective Superintendent Paul Lopez, Director of the Eastern Cyber Resilience Centre (ECRC), said: “Like the majority of sectors, the construction industry is becoming more technologically advanced with the creation of new applications and tools that are changing how companies design, plan, and execute projects. Throw remote working into the mix, then you have a hotbed of online programs and software that cyber criminals have potential access to.

“As it has moved quickly to adapt to new ways of working more efficiently, the focus on cyber security has lagged behind and yet with so many elements at risk – stored data, the supply chains, procurement processes – these all provide pressure points in their systems’ weaknesses.”

Phishing, ransomware, malware and identity theft are just a few tactics criminals use to target their victims. With the construction industry contributing almost £90 billion to the UK economy and comprising over 280,000 businesses, there is plenty of scope for an adept cybercriminal to achieve a successful attack. And the consequences are hugely impactful, causing financial damages, disruption to trading or even the loss of contracts and reputational damage.

James Clark, an independent quantity surveyor at Clark Cost Consultants Ltd, adds: “As a sector we are working in a much more progressive way in regards to the technology we use, processing and storing more and more data about clients, employees, colleagues and assets.

“Cyber security is as important as the building projects we work on. I have received many suspicious emails over the last few years that ask for personal information and they are increasing with worrying frequency. Investing in cyber security and a data protection plan is not just something we can do; it should be a critical part of our industry’s processes.”

Detective Superintendent Lopez offers his tips to businesses on how to stay better protected.

  • Back up your data regularly and keep it separate from main systems

  • Use strong and unique passwords and avoid using the same one for multiple accounts

  • Enable two-factor authentication to make it impossible to get into an account with a password alone

  • Check all devices (including mobiles) have been installed with the latest software updates

  • Secure your Wi-Fi network

  • Invest in cyber security training sessions for you and your staff

  • Keep auditing your security practices

The ECRC is encouraging businesses to join the organisation to improve their cyber resilience and awareness, with its free core membership.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page