What are the cyber threats for the construction industry in the East of England?

Historically, the construction industry is reported as the second lowest sector to have adopted information technology. Although slow to introduce technology, the number of different applications now are staggering, with AI, machine learning and remote access to systems becoming commonplace.


Previously the construction sector had limited personal data so many assumed that they were not a target for cyber criminals, unfortunately they were wrong.

Image of bridge being built

With the increase in technology adoption comes the increase in attack vectors for cybercriminals to take note of, and according to Nordlocker, the construction sector is now the most targeted industry from ransomware attacks.


Supplier lists, customer data, payment information, infrastructure details, sensitive business details, the construction industry has it all. And the impacts of an attack can be severe.


Only 64% within the construction industry believe that cyber security is a high priority with only 20% of firms having board members responsible for cyber security (Cyber Security Breaches 2021).


It’s not just large firms which are affected. In the Eastern region one micro construction firm had 5 out of their 6 servers encrypted with Conti ransomware. They recovered within a couple of days but then found out that their removable media used for backups also was infected and that data had been stolen and was publicly for sale.


What are the most common attacks on the construction industry?

Image of laptop with ransomware message on
  • Ransomware – this is where a virus encrypts the data wherever it can get access to. Criminals will then demand payment for a decryption key to decrypt the data. Criminals have become proficient at stealing data before encrypting files so this should always be considered when ransomware is involved.

  • Business Email Compromise – this can be a compromise of your systems or one of your suppliers. Criminals gain access to an email mailbox and can either monitor communications or use the mailbox for their own purposes, such as sending out a change of payment details or sending malicious attachments. You can see an example of an email compromise in our short video.

Both attacks can start through a phishing attack (tricking the victim to believe that they are a legitimate organisation) and phishing attacks are by far the most common cyber attack as they can be deployed at scale, with some statistics showing that 91% of cyber-attacks start with a phishing email.


What are the Impact of Attacks

  • The business can’t function without the affected systems. This could affect the ability to complete a project on time, leading to financial penalties and reputational damage.

  • Theft of Intellectual Property such as sensitive blueprints or schematics, leading to significant reputational damage and potential lawsuits.

  • Theft of Bid Data leading to the business no longer being able to be competitive in the marketplace.

Are construction firms currently cyber resilient?

Image of lego figure with unhappy mouth

Construction firms are below average when it comes to identifying, managing, and minimising cyber risks with only 35% having done any actions (such as cyber risk assessments, phishing simulations, vulnerability testing, threat intelligence) in this area.


Construction is also in the bottom of industries who have implements technical cyber security controls, they are less likely to have restricted IT access (61%, vs. 75% overall) or to have an agreed process around phishing attacks (39%, vs. 58% overall).


Only 5% of construction firms did any kind of security awareness training with their staff. This statistic is shocking when it is widely established that phishing attacks are by are the most common attack and staff play a key role in defending organisations against this. The ECRC can provide affordable staff awareness training bespoke to your company. Make a booking to speak with us about how we could help your company.


What should a construction firm be doing?

  • Join the ECRC - our free membership provides a “little steps” email series designed to introduce you to the key concepts of cyber resilience along with practical implementation. We also provide guidance to free tools and access to our affordable service when you are ready to move past the fundamentals. To register click here.

  • Implement 2FA wherever available and ensure your staff are not reusing weak passwords. If you want to find out more about why passwords are so important, watch our short videos.

  • Staff awareness training – if you teach your staff to protect themselves, they will also be better prepared to protect your business. And it’s not only about that phishing email, what about the physical security of the business? Could someone drop a USB or even send you a USB loaded with malware?

  • Have offline backups so that if you do get hit with ransomware you can recover quickly. Ensure that you test you can get to them and use them if your system goes down.

  • Install your updates as soon as possible. Known vulnerabilities are known to criminals as well and they will use this to target companies who have not updated their systems.

  • Install and use anti-malware on all your devices including your phones.

Further guidance & support

You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiries@ecrcentre.co.uk or use our online booking system to make an appointment with one of our team.


Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.


The ECRC is a policing-led, not for profit, membership organisation, with the aim to increase the cyber resilience within small and medium businesses within the East of England (Hertfordshire, Bedfordshire, Cambridgeshire, Norfolk, Suffolk, Essex and Kent).


Policing led - business focussed.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.