11 July 2022
New guide set to help construction firms avoid cyber attacks

Over the past 12 months, nearly one in four UK companies (39%) reported a cyberattack, which is defined by the National Cyber Security Centre (NCSC) as “a malicious attempt to damage, disrupt or gain unauthorized access to computer systems, networks or devices, via cyber means”.

The most common form of cyberattack is phishing, whereby scammers try to trick their victims into revealing a company’s or their own personal details by use of fake emails, text messages or phone calls. Less common, but still prevalent, were more sophisticated cyberattacks including:

  • Malware – i.e., malicious software such as viruses, trojans, worms or other harmful code that could have an adverse impact on organisations or individuals
  • Ransomware – i.e., whereby criminals hack into an organisation’s systems and remove access to data or systems until the victim makes a ransom payment
  • Denial of service – i.e., an attack that is intended to shut down a machine or network, making it inaccessible to users.

Construction – an easy target

According to the NCSC, businesses operating in the construction industry are considered as easy targets by cyber criminals. This is because they have large cashflows, make a great deal of high value payments to sub-contractors and suppliers, and process and have access to a lot of sensitive data. In addition, as part of an industry that has traditionally been reluctant to embrace digitisation and technology, construction businesses’ cyber defences are typically not as robust as their peers’ in other sectors, making it easier and cheaper for criminals to launch a successful attack.

In 2020, for example, two construction companies that were closely involved in the construction of so-called ‘Nightingale Hospitals’, which were set up to ease the pressure on hospitals during the coronavirus pandemic, were hit by cyber-attacks. Criminals hacked into Interserve’s HR database and stole the sensitive data of up to 100,000 people. Meanwhile, BAM Construct UK suffered a similar breach that forced it to take some of its systems offline.

New guide

Back in February, “groundbreaking” new cybersecurity guidance, entitled Cyber security for construction businesses, was jointly published by the NCSC and the Chartered Institute of Building. It is designed to help small and medium-sized construction businesses a) understand the importance of cybersecurity and b) protect themselves against cyber-attacks. The advice is split into two distinct parts:

  • Why cybersecurity matters – this is all about explaining the importance of cybersecurity and the various forms a cyberattack can take. This section also looks at the adverse impacts a cyberattack could have at each stage of the construction process, i.e. design, construction and handover.
  • Advice and guidance – this is aimed at construction staff who are responsible for the upkeep and maintenance of their business’s IT systems.

How construction businesses can prevent cyber attacks

The guide offers practical advice for businesses that could, if followed, prevent serious financial and reputational damage. Examples of steps businesses can take to improve their cybersecurity include:

  • Back up your data and store a copy separately and securely – this will ensure businesses still have access to critical data even there is a cyberattack.
  • Use antivirus software – businesses may be unaware that separate software is likely to be needed for phones and tablets.
  • Only download apps from approved stores (such as Google Play or the Apple App Store).
  • Keep all IT equipment up to date – for example, ensure you are running the latest operating system.
  • Use an encryption product – encryption changes the composition of a message or document so that it reads as gibberish to unauthorised users.
  • Don’t leave phones and tablets unlocked – use a password or PIN.
  • Make sure devices can be tracked, locked or wiped if they are stolen – there are free online tools that can help you with this.
  • Use strong passwords – passwords such as ‘password’, ‘qwerty’ or ‘123456’ are very easy to guess and break.
  • Use two-factor authentication – this is a login method that requires two separate pieces of information (for example, a password and a code texted to your phone).
  • Check all emails for signs of phishing and report an email to if you believe it to be suspicious.

Cybersecurity should be top priority

According to the government’s Cyber Security Breaches Survey 2022, the average estimated cost of cyberattacks in the past 12 months was £4,200. This rises to an astonishing £19,400 when only considering medium-sized and large businesses.

It is little wonder then, that 82% of boards or senior management within UK businesses now rate cybersecurity as a ‘very high’ or ‘fairly high’ priority. By following just some of the steps outlined in the new guidance, construction firms will be able to reduce their risk of cyberattacks and minimise the severity of the financial and reputational damage that follows.