top of page

Cyber-crime risks are a building threat to construction businesses

The construction industry is made up of all different sized businesses, with many operating as sole traders. Whether running their business off their phone, simply working in their locality, or those that are larger regional companies operating across the UK - where in their list of priorities does cyber resilience lie?

No doubt the large national companies will have measures in place, and maybe a team that can react and develop their cyber security, but what about the small businesses, and the sole traders? The response is often; “why would a cyber-criminal choose to attack my business?”. Well, because they look for vulnerabilities, sometimes on a mass scale, and if you haven’t put basic security measures in place then you may be their next victim!

As the industry quickly becomes more advanced in the way it works, with a greater reliance on remote systems, contractors and sub-contractors to architects, engineers and surveyors, all have access to IT platforms in a way that is unique to the construction sector, leaving them open and vulnerable to attack.

And yet, according to the Department of Department for Culture, Media and Sport’s Cyber Security Breaches Survey 2022, construction didn’t fare as well as other sectors when it comes to how much importance it attaches to cyber security. For example, only 20% of construction firms are likely to have a board member taking responsibility for cyber security. The survey also identifies the construction industry as one of the sectors least likely to have cyber security rules in place, or to have looked to actively identify cyber threats to their business.

The industry use of sub-contractors and suppliers, and payments being made on a regular basis mean that this is the ideal environment to have a targeted phishing attack. This means that an attacker will send an email pretending to be from a legitimate person known to you – either a colleague, client or supplier - trying to trick you into providing sensitive details, or to allow them to compromise your account and send invoices out that divert payments to a criminal account

Regardless of the size of your business, you are also likely to have valuable data that is attractive to the criminal, whether that be employees’ payroll data, contractual details of the next project to be worked on, or customer payment details. One type of attack is using ransomware, which blocks access to systems and networks, so devices become unusable, on top of encrypting all your data. The criminal then demands a payment to unencrypt the data and restore access This will cause a shutdown of your business, as well as reputational damage with customers and partners.

Although the construction industry has moved quickly to adapt to new ways of working more efficiently over recent years, it is fair to say that the focus on cyber security has lagged behind. Yet, with so many elements at risk – stored data, the supply chains, procurement processes – these all provide pressure points in their systems’ weaknesses.

Understanding that cyber security is as important as the building projects you are working on, or wearing a hard hat on site, can mean the difference between being a cyber victim or successfully completing the work. The good news is that there are simple steps that you can take to build up your resilience to a cyber-attack such as:

  • Back up your data regularly and keep it separate from main systems

  • Use strong and unique passwords and avoid using the same one for multiple accounts

  • Enable two-factor authentication to make it impossible to get into an account with a password alone

  • Check all devices (including mobiles) have been installed with the latest software updates

  • Secure your Wi-Fi network

  • Invest in cyber security training sessions for you and your staff so phishing emails can be recognised

  • Keep auditing your security practices

The National Cyber Security Centre (NCSC), which is the government organisation that provides advice and support for the public and private sector in how to avoid computer security threats, has recently issued new guidance which is specifically designed to help small and medium sized-construction businesses. The guide offers practical advice for each stage of construction, from design to handover, and sets out the common cyber threats the industry faces, and comes in Welsh and English language versions:

The Cyber Resilience Centre for Wales is there to support sole traders, micro-businesses and SMEs across the region. We offer free membership which will inform you of the current threats and simple steps to take to reduce your vulnerability to an attack. By becoming a member, you will have the opportunity to speak to one of the team about your own cyber security and concerns.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for Wales is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for Wales provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for Wales does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for Wales is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page