Construction Best Practices

The Complete Guide to Cyber Security in UK Construction



When most people think of cyber security and cybercrime, they picture hackers in dark hoodies, dwarfed by stacks of computers and servers as they sneak in the digital back door.

However, while it’s true that cybercrime is more prevalent than ever before, it might surprise you that according to a Stanford University study, 88% of corporate cybercrime is because of an employee error. So, the hackers aren’t sneaking in the back door. They’re usually being let in because of phishing or ransomware attacks.

Cyber security in UK construction is no different, and if you’re not actively looking for potential holes in your digital security systems, there’s a good chance they’re already being used by people and organisations with less than honourable intentions. Here’s what you need to know about cyber security in UK construction and how to keep your data and business safer.

What Is Cyber Security?

Most of us think of cyber security as one thing. Something we do and check off the to-do list.

Like the anti-virus software, we install on our computers to protect them from viruses and malware. However, while that might have protected your computer relatively well 20 or 30 years ago, things have changed a lot.

These days, with estimates that 33 billion user accounts will be compromised due to cybercrime this year, there isn’t a one-size-fits-all solution.

So, instead of just one piece of software, today, cyber security is a network of protocols, software, hardware, and more, all designed to stay one step ahead of ever-smarter online criminals. It’s all the active and passive steps your organisation takes to create layers of security.

Cybercrime — More Serious Than You Think

Another big problem with cyber security in UK construction is that we tend to think of it as something that happens to other companies in other industries. We don’t see ourselves as potential targets for cybercriminals.

However, if you think cyberattacks only happen to big companies, you’ll be surprised to learn that nearly half of all cyber-attacks target small businesses.

You’d probably be even more surprised to discover that cyber-attacks have taken critical infrastructure offline and crippled construction businesses worldwide, including in France, India and Brazil. They cost billions of pounds a year and can cause whole cities, businesses and services to grind to a halt.

All these attacks have been slightly different, but they prove that no one is immune to the ever-growing threat of cybercrime, and everyone is potentially at risk.

Fish Hook Through Credit Cards as Phishing Steals Money
Phishing attacks are extremely common attempts of cyber security attacks.

Cyber Security for the Construction Industry

In the construction industry, we sometimes feel like we’re insulated from issues like cyber-crime. Maybe it’s because the construction industry, in general, has been slower to adopt technology. But we’re definitely making up for lost time, and more construction businesses of all sizes are embracing digitisation across all departments, processes and projects.

Cyber security is so crucial to construction that the National Cyber Security Centre produced a construction industry-specific guide along with the Chartered Institute of Building (CIOB). You can find the full document here, but we’ll summarise the most important points right here.

Construction Companies are Easy Cybercrime Targets

Most construction businesses don’t realise that it’s because we don’t see ourselves as important targets and because the industry has been slower to adopt technology that we’re seen as easy targets. Far from being immune to cyber-attacks, construction businesses are often perfect targets.

Construction is also a high-value industry. There’s a lot of serious money moving around, and that is just another reason cybercriminals have got us all in their crosshairs. Even if they can’t access your bank account, they know that there’s a lot at stake.

It’s called ransomware, and it’s probably the most common and one of the most debilitating types of cyber security breaches in the construction world.

Different Types of Cyber Attacks

Very often, construction businesses aren’t buying or selling online, so cyber criminals that attack them aren’t intercepting money. That’s another reason we feel safer. We’re not running e-commerce stores, so it doesn’t seem like we’d be a very good target.

But there’s the thing: we have a lot of data.

Cybercriminals who target the construction industry usually focus on that data, either by accessing, copying, and sharing it illegally or by installing malware on your company's computers and network, taking control of your files, and holding them for ransom. It’s called ransomware, and it’s probably the most common and one of the most debilitating types of cyber security breaches in the construction world.

Imagine if you suddenly could not access any project data, estimating files or shop drawings. It’s the kind of thing that can cause your business to grind to a complete halt.

Protecting the Whole Project Lifecycle

In some areas, the project process is quick. A customer decides to buy a product, you make it and deliver it, take their money, and you both walk away.

Construction has a much longer sales and project life cycle, and there’s an enormous amount of critical data generated and stored at every step of the process. There’s even a period after you’ve finished a project and collected the final payment that you still need to be prepared for warranty claims or latent defects remediation.

This extremely long data retention requirement is another thing that makes construction such a prime target for cybercrime. Hackers know that you need to keep the information for your projects for years, so whenever they decide to attack, it will be a critical issue.

Data is becoming more important in construction — make sure it's protected.

Back All Data Up

No matter how careful you are to protect your business against cyber-attacks, and no matter what precautions you take for active cyber security in your business, there’s always a chance that something will fail, someone will forget, and something will go wrong.

This is why one of the most important parts of any good cyber security plan is to make sure that everything is backed up, preferably on the cloud or physically on an offsite server that’s not on your network.

Backups should be frequent and automated, so ask your IT team or provider to set them up so that they either happen in real-time (if you’re backing up to the cloud) or that they run every day when everyone has left the office.

Employee Buy In and Training

Since 88% of all cybercrimes these days are in some way attributable to employee action or inaction, that also means that people are the biggest security risks in construction, at least when you’re considering digital crime.

So, it’s only logical that improving cyber security in construction does not end when you do a cyber security risk assessment and install some new software. Every person in your organisation needs to not only understand your plan and processes but they also need to be actively engaged in following them and protecting your data integrity. There are several steps that you will need to take to make that happen, such as:

  • Ensuring that new hires have appropriate cyber security training during the onboarding process.
  • Regularly reviewing security protocols within your teams and getting feedback from team members
  • Updating cyber security policies and processes
  • Providing training whenever processes, software or other elements of your cyber security plan change

Rather than being passive bystanders, good cyber security in construction requires every employee at every level to be fully engaged and actively vigilant.

Don’t Forget the Obvious

Too often, when we think about cyber security in UK construction, we imagine the dark figures firing off lines of code to break into our systems; we ignore the simpler, more obvious methods criminals use to gain access to our systems.

Often, it’s just someone looking over your shoulder when you log in, a folder left in the car or opening the wrong email attachment that creates a cyber security crisis.

Ensure that your construction cyber security plan includes training and reminders to always be aware. Look out for spelling and grammar errors in potential phishing or ransomware emails. Always log out of your accounts, especially when using publicly accessible computers. Look closely at the sender’s email address, and never open attachments you’re not expecting.

Cybercriminals are always changing and evolving, and it’s almost impossible for security software to stay ahead of them all the time. But if your people themselves are programmed to be cautious and sceptical, you’ve got an even more powerful layer of security working for you.

Always remember that cybercrime usually looks more like someone copying off your test paper than a spy thriller! Simple steps are often the best defence, and turning them into habits helps to prevent accidental slip-ups.

Certifications for Better Cyber Security

The good news is that you’re not alone when it comes to cyber security for small businesses in the UK. Even if you have nowhere to start, great free resources can help.

The UK government offers two fantastic certifications – Cyber Essentials and Cyber Essentials Plus – that are crash courses in the basics you need to keep your business safer from cybercrime. While they don’t replace a cyber security risk assessment, they will show you how to do one and how to select the security measures your business needs.

Even if you’ve never thought twice about digital security, these courses explain it in simple terms and give you actionable steps you can implement immediately.

Man Struggling While on the Computer
Nobody wants to be the reason for a security breach.

The Importance of Software and Servers

The final important point you need to know about cybersecurity in UK construction is that you don’t always control everything related to digital security.

Two big areas of potential risk are software and servers.

When it comes to software and security risks in construction, you need to look for platforms and software providers that take security seriously. Granular permissions, user-friendly user management systems and multi-factor authentication, for instance, are all must-haves in any construction software you use.

When you’re shopping for any construction software for your business – or any other software for that matter – always make security one of your first discussion points. If they’re not concerned about your security, they’re probably not the software company for you.

The other risk is servers, and there are several areas of concern here. First, your web and email servers need to be properly protected to avoid online attacks. Your physical network servers also need to be secured, and you need to ensure that any cloud-based solutions you’re using also implement rigorous security protocols.

Anywhere you store or use your data is a potential entry point into your company’s digital existence, and they all need to be protected from attacks.

It Only Takes One Slip-Up

Usually, in articles like this, this is the point where you’re reassured that you don’t need to worry too much, but in this case, that’s not how this goes.

The truth is, all it takes is one slip to allow malicious code or ransomware in, and once it’s there, it can cause millions of pounds worth of damage. If you do nothing else to improve your company’s digital resources this year — make cyber security your priority.

Some people might ask, “can an individual be responsible for a data breach?” or what the Data Protection Act says about data breach fines, but the truth is, if you get to that point, you’ve gone way too far already.

The saying prevention is better than cure might be an old one, but when it comes to cyber security in UK construction today, it’s never been truer.

If you’re ready to work with a construction software company that puts security right at the top of every list, we’d love to show you more about how the Trimble suite of products keeps your data secure online and off.