top of page

Why does my building firm need to know about passwords?

Fifty percent of the construction companies on mainland UK are in the East and Southeast of England. Construction is big business in The East of England and is a vital part of the regional and national economy. House building and infrastructure lead the way across our region, and it is a sector that is set to grow significantly over the next 3-5 years. And with critical national infrastructure projects like the Lower Thames Crossing and Sizewell C yet to start it is an exciting time to be part of this busy sector.

crane on a construction site

But increasing business, more reliance on technology and general poor standard of cyber hygiene means that they are also a sector that are likely to attract the attention of cyber criminals.

Across all sectors phishing is by far the most common cyber-attack. In fact, Metacompliance found that 91% of cyber-attacks started with a phishing campaign – and weak passwords coupled with a lack of multi factor authentication are huge vulnerabilities that will allow criminals into your network. After they get access to your network they can steal your data, extort you to get it back, and they can use you as jump off point to attack your customers and your supply chain.

As the Chartered Institute of Building (CIOB) CEO Caroline Gumble said: “The consequences of poor cyber security should not be underestimated. They can have a devastating impact on financial margins, the construction programme, business reputation, supply chain relationships, the built asset itself and, worst of all, people’s health, and wellbeing.

What does a strong password look like?

The below graphic represents the time it would take for a cybercriminal to hack (brute force) a password using current technological capabilities.

Hive systems Brute force password table

Credit: Hive Systems -

Passwords should ideally be in the green section of this table, but if one of your current passwords is in another colour - do not worry. We would just advise that change it to something more secure and unique. With the rapid advancements in processing power, areas in the orange section may look secure right now, but it the next couple of years, they may become much weaker.

The NCSC recommend use three random words followed by punctuation to create a secure and unique password. To find out more about passwords guidance, click here.

Multi Factor Authentication

Two Factor Authentication (2FA) and Multi Factor Authentication (MFA) are incredibly useful in protecting your systems, accounts, and devices.

2FA and MFA are essentially two or more methods that can verify your identity. A cybercriminal may be able to crack your username or password, but they do not have your fingerprint, Face ID, or your mobile phone to authorise a log in attempt on a mobile authenticator app.

2FA follows the idea of using a combination of two of ‘Something you know’, ‘Something you have’, and ‘Something you are’. So, you might have a password that you have remembered, a physical identification token like a badge, and a fingerprint scanner. Often times the ‘something you have’ will take the form of a different device, like a mobile phone, in order to verify your identity when connecting to services online.

By enabling MFA across your systems, accounts, and devices you are providing an additional layer of defence to protect you from a cyberattack.

What can you do?

  1. See what passwords you and your staff have which have already appeared in data breaches and change them as soon as possible. Why not run a poll to see who has the most/least breaches? is a legit website where you can enter your email address and telephone number to see if your information has been captured in a data breach. You can also register your email address or domain and get notified if it appears in another breach.

  2. Have a clear password policy for staff and tell them why having strong, unique passwords are essential. If you need some help with this, our affordable student services offer security awareness training. Why not make a booking to discuss further?

  3. Enable 2FA and MFA wherever you can, but especially on your emails and social media accounts. Even with the best passwords, once someone knows that password then the system is no longer secure. With 2FA or MFA, even if the password and username are known, the criminal won’t have access to the second verification factor so they shouldn’t be able to just “log in”.

  4. If your staff have a lot of passwords to remember, consider getting an enterprise password manager so they only have to remember one and the password manager generates and remembers the rest – saying goodbye to reused passwords.

  5. Join the ECRC with free membership. Core members receive regular updates which include the latest guidance, news, and security updates as well as a series of "little steps" emails designed to get your business cyber resilient. Did you know that your local police force has Protect officers who will do free staff awareness training? The National Cyber Security Centre have created an e-leaflet that you can access at Cyber security for construction businesses - NCSC.GOV.UK. If you wanted to test your and your staff’s knowledge about passwords have a look at the centres free password quiz.

Further guidance & support

You can contact the Cyber Resilience Centre for guidance and support through our e-mail or use our online booking system to make an appointment with one of our team.

Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.

Reporting Cyber Crime

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page