top of page

Why would criminals be interested in construction company websites?

After all, the industry's focus is on physical work with bricks and mortar. Surely digital activity is fairly minimal and unlikely to attract cyber criminals - isn't it?

photograph of a construction site

Here at the Eastern Cyber Resilience Centre, we have seen that the construction industry has shown a significant reliance on technology over the last decade. There have also been seismic shifts in relation to project delivery and how organizations operate. From office operations to activities on-site, technologies such as cloud storage, email and smartphones are commonplace.

Digital tools, such as Building Information Modelling (BIM), are becoming increasingly commonplace at the design stage, along with technology such as 3D-printing, remote building monitoring systems, brick-laying robots, and other automated techniques. It is quite clear that the sector is unquestionably operating in a modern, digitized and connected way.

But as the industry progressively embraces modern technologies it cannot afford to ignore the corresponding risks. If unmanaged, cyber risk ultimately threatens to outweigh the benefits gained from continued technological advances. It is a common misconception that because the industry doesn't regularly deal with personal data that it is not a target for cyber criminals. But unfortunately, this is not the case. The industry presents a wide range of attractive opportunities for cyber criminals.

From controlling critical services, to the theft of trade secrets, there are many reasons that a construction sector organisation could fall victim to cyber-crime. Tracking cyber incidents can be tricky, especially as a lot of incidents still go unreported. And while the construction sector may experience cyber-crime, unless a breach conforms to strict reporting requirements, the majority will not be publicised. This lack of knowledge-sharing can lead to underestimates of the true nature and scale of cyber exposures. And if the industry is unaware of common vulnerabilities, it presents low-hanging fruit for cyber criminals.

Common website cyber threats – if you don’t understand the jargon talk to us at the centre

  1. Weak passwords so criminals just log in to your systems – no technical experience required but easy to fix from your point of view.

  2. Your website isn’t updated with the latest security patches – criminals know when security patches are released and will look for those sites which haven’t been updated and therefore have a known security issue that they can exploit.

  3. Your website is vulnerable to SQL injection attacks – this is a technique where a criminal places malicious code into SQL statements via web page inputs and could potentially destroy your database!

  4. Your website is vulnerable to XSS (Cross-site scripting) attacks – this is where the criminal compromises the interactions that users have with your website or application.

  5. Your website has insecure direct object references – this is part of access control implementation mistakes which can lead to access controls being circumvented and a criminal able to access your valuable data.

picture of cyber threat.

Do you know if your website is vulnerable?

The only way to really know is to pressure test your site. But do you really want to know? Nothing bad has happened so far and if you don’t know about it then surely you can’t be guilty of not fixing it?

Ask yourself these questions:

  • How would the people that you represent feel if their sensitive data were stolen and sold?

  • How would your supply chain feel if their confidential data were leaked?

  • Would your customers have expected you to do everything you could to protect their data?

The ECRC offers members affordable web application vulnerability assessments. We work with university students who conduct the testing and provide you with a detailed report, but explained in plain English, so you understand what the risks are and what you need to do to fix them. Find out more here.

Is there anything I can do for free?

The impact of a successful attack against your website or network can be catastrophic and lead to website downtime, loss of business and loss of reputation. In the worst cases it can lead to the closure of the business altogether. But all is not lost.

  1. Sign up to the Eastern Cyber Resilience Centre and join our growing community of regional businesses who are committed to stranding up to cybercriminals. Its free and we will give you support and guidance around the areas that you need to consider in every aspect of your business to build your resilience.

  2. For small and medium sized businesses in the Eastern region we would recommend that you look at improving your overall cyber resilience through the free Little Steps pathway we provide to Cyber Essentials – the basic government backed kite mark standard for cyber security.

  3. Join the centre as a free member and we will take you as far as the CE accreditation process. And if you want to pay for the assessment, we can refer you one of our Trusted Partners – all regionally based cyber security companies that can help you become accredited.

  4. Get your staff to check their details on – you can search for your email address and telephone number against data breaches and if your details show up in them you need to change your passwords (everywhere you use the password). Once you have done this implement strong password policies. Passwords should be unique and complex. Watch our short video for more information about this.

  5. Enable two factor authentication (2FA) on all your important accounts (email, social media, where you have financial information stored) – this will stop a cybercriminal from being able to access your accounts, even if they have your username and password form a data breach. You can find more about 2FA here

  6. Apply all security updates to your applications, systems, and devices.

Reporting Cyber Crime

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page