Skip to main content

Cybersecurity In Construction: What You Need to Know

While building sites have always been attractive targets for thieves, the construction industry now has to deal with threats in a relatively new area: cyberspace. Find out which threats your firm could be facing and how to minimize the risks.

Theft and petty crimes such as vandalism have always dogged the construction industry. A combination of valuable portable equipment and temporary locations can make construction firms and building sites attractive targets for thieves. The physical theft of machinery, equipment, and supplies can cost a business a lot of money.

Figures from insurer Allianz recently revealed that theft costs the industry £800m a year in the UK alone, and every sensible construction firm tries to minimise the risks by employing the best security practices. This could involve physical barriers in the form of fences, locks and secure buildings, security guards and patrols, equipment tracking and asset management systems.

Over recent years, however, the construction industry has faced a new threat. Some people who work in the industry might not consider construction to be a high-risk target when it comes to cybercrime, compared to areas such as finance and retail. However, the fact is that this relatively new type of crime is now a threat to every type of business, including small businesses and construction firms. This also means that cybersecurity in construction should be taken every bit as seriously as physical security.


Cybersecurity risks in construction

As mentioned, all types of businesses are at risk from cybercrime, but the threats, risks, costs, and solutions are not all the same. Different sectors have different challenges, and there are some cybersecurity risks in construction that are particular to the way that the industry works.


These industry-specific risks include:

  • A mobile workforce

Just as the fact that construction is carried out in a variety of sites and locations can present a physical risk, it can also exacerbate the risks of cybercrime. Bases can often be temporary locations such as onsite cabins and trailers, with workers connecting to business networks and systems via laptops, tablets, and smartphones. Security can often be laxer than it would be in a permanent office, especially if there is a “bring your own device” (BYOD) policy in place, which allows workers to access critical systems on their own devices. It is important to have a policy that requires passwords and other validation, while mobile devices should be assessed for vulnerabilities.


  • File and data sharing outside the company

A construction project often involves collaboration between professionals of different disciplines, as well as stakeholders such as owners and clients. This means plans, blueprints and other sensitive information such as bids, financial information and employee records may have to be shared outside the company. Building information modelling (BIM) involves collaborations between multiple parties, and when it is integrated with a common data environment (CDE), it represents a potential treasure trove of data. Security, naturally, should be a top priority.

Data storage and protection must also comply with relevant regulations such as the General Data Protection Regulation (GDPR) if working within or dealing with the EU.


  • A high personnel turnover

Even within the company, there can be a high turnover and a reliance on subcontractors, making it difficult to arrange and deliver uniform IT and cybersecurity training.


Different types of threat

Cybercrime is a growing threat globally. In Germany, for example, intelligence agencies have warned that increasing cyber attacks are “ticking time-bombs” that threaten critical infrastructure as well as commercial interests.

According to HUB International: “The construction industry lags behind others when investing in high-level security and keeping up with current threats, and hackers are well aware and take advantage.

There are a number of different types of cyberattack and other threats that could put a vulnerable construction firm or partner at risk. These include but are not limited to:

  • Malware

Malware comes in a variety of forms, but viruses, worms and other types are all designed to do harm to your systems and data. Sometimes, this can be an attempt to leverage money out of the victim – such as through ransomware – while other types of malware can be purely malicious in intent.


  • Ransomware 

This specialised type of malware encrypts and “locks up” critical systems and data, with the cybercriminals demanding a “ransom” in order to release them. This type of attack is on the rise, and there have been some high-profile cases in the past couple of years, such as the WannaCry attack that targeted the NHS in the UK, Spanish telecommunications giant Telefonica and other organisations worldwide.


  • Phishing

This involves the attempt to harvest data by getting individuals to click a hyperlink or open an attachment in a phishing email. This could allow malware to install on the system, or for the victim to be taken to a fake website where they could enter sensitive personal or business information.


  • Password attacks

Cracking users’ passwords can give cybercriminals unfettered access to critical data and systems.


  • Distributed Denial of Service (DDoS)

These can be used to crash a website or disrupt valid users’ ability to access networks and systems. This is typically done by bombarding the site or system with superfluous requests.


How to minimise the risks

Luckily, there are some relatively simple steps that construction companies can take to reduce the risks of cybercrime.

All networks should be protected with security software and firewalls. Firewall-as-a-Service (FaaS) can allow for a dynamic and scalable barrier that can adapt to an organisation’s current needs. You can also initiate advanced email and web filtering on all business networks. This can not only prevent employees from accessing inappropriate content at work but also restrict access to potentially harmful websites.

Advanced threat detection (ATD) can scan all email attachments and links before they reach the user. Setting up your own password-controlled Wi-Fi on site rather than logging into other parties’ networks can also help you limit the potential risks to which you are exposed. Strong permission controls can limit the files, data, and parts of the network that different people are able to access.

While cybersecurity techniques, software, and systems have a huge part to play, human error can also frequently put firms at risk. It is therefore important to institute robust policies and training to help ensure that everyone in your organisation follows best security practices. In the cybersecurity arms race, it’s virtually impossible to guarantee immunity, but it is possible to drastically reduce your risks simply by adopting a common sense approach and taking the threat seriously.