top of page

The remote working risk for Construction firms

Construction has always had an element of remote working, however with the pandemic this has expanded to all areas of the business and with the widespread use come increased risk from cyber criminals.

Male looking at a digital construction guide

What is remote working?

Remote working is working anywhere other than a centralised office location, so for most construction workers, remote working is a given. This could be as simple a checking delivery schedules at home before leaving for the site if this means accessing your company network to do so. Even if staff don’t have to be on a site, they can still be remote worker by working from home or even from a local café.

What about sub-contractors?

And it’s not just full-time employees that construction firm owners need to be consider when they are looking at their cyber resilience. Sub-contractors might have access to company networks but how do you know that they are protecting their devices/data and their behaviour isn’t causing increased risk to your company?

Some of the risks

  • Data protection – whether its sensitive paperwork bring brought away from secure offices, laptops being left on public transport or a burglar stealing the company laptop, the risk of data breaches increase the more we travel away from set locations and the more distracted we become.

  • Use of personal devices – there are a range of risks in relation to this, from not having devices updated meaning there are known security vulnerabilities, malicious apps being downloaded, or external storage infected with malware being brought in for use on company networks.

  • Insecure home networks – default router passwords may allow an attacker on to a home system.

  • Communication when a cyber incident does hit – if all your IT systems go down, how do you communicate with staff who are not in the office? Where are your contacts lists?

  • Phishing emails – remote workers apparently can be more distracted than office workers, with deliveries, washing, children being some of the reasons why attention might be taken away. Phishing emails rely on employees acting before they think so a distracted employee is a prime target.

Screenshot of the sub-contractors guide first page

Key actions for consideration

  • Share our subcontractors guide with those that need it and get them to increase their cyber resilience, protecting themselves and you. It is designed to be viewed on your phone or tablet for out and about reading. Or you can download a copy.

Download PDF • 2.06MB
  • Staff awareness training – may sure that employees understand the increased risks involved with remote working and how they can help build the cyber resilience of the organisation. This should include phishing as well as the use of personal devices.

  • Clear incident response plan – make sure you have thought about how you would deal with all your IT systems being unavailable. Make sure it includes your remote workers, the communication with them and isolation of their devices if required. You can download the ECRC's free template to help get you started.

  • Protect your devices – all devices should be password protected and be capable of being remote wiped should the device be lost or stolen.

Further Guidance and Support

The ECRC is a police-led, not for profit organisation which companies can join for free.

Our core membership provides:

  • Threat alerts both regionally and nationally

  • Signposting to free tools and resources from both Policing and the NCSC

  • Little steps programme – series of weekly emails which aligns to cyber essentials looking at bite-sized practical information to build cyber resilience

  • Discussion area to meet and discuss other companies in the region and our partners

Why not join us today or contact us for more information about how we can support you build your cyber resilience.

The Eastern Cyber Resilience Centre logo


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page