*Supplied content 

Paul Peters, Director of the Cyber Resilience Centre for Wales, provides an insight into the current cyber security threats facing small and medium-sized construction companies and offers some tips on how to protect your construction business.

The construction industry is made up of all different sized businesses, with many operating as sole traders. Whether you are running your business off your phone, simply working in your locality, or manage a team that works across the UK - where in your list of priorities does cyber resilience lie? 

No doubt the large national companies will have measures in place, and maybe a team that can react and develop their cyber security, but what about the small businesses, and the sole traders? The response is often; “why would a cyber-criminal choose to attack my business?”. Well, because they look for vulnerabilities, sometimes on a mass scale, and if you haven’t put basic security measures in place then you may be their next victim. 

Paul Peters_Cyber Resilience Centre for Wales.jpg


A growing threat to construction businesses 

As the industry quickly becomes more advanced in the way it works, with a greater reliance on remote systems, contractors and sub-contractors to architects, engineers and surveyors, all have access to IT platforms in a way that is unique to the construction sector, leaving them open and vulnerable to attack. 

And yet, according to the Department for Culture, Media and Sport’s Cyber Security Breaches Survey 2022, construction didn’t fare as well as other sectors when it comes to how much importance it attaches to cyber security. For example, only 20% of construction firms are likely to have a board member taking responsibility for cyber security. The survey also identifies the construction industry as one of the sectors least likely to have cyber security rules in place, or to have looked to actively identify cyber threats to their business.

Beware of common cyber risks

  • Phising attacks: The industry use of sub-contractors and suppliers, and payments being made on a regular basis mean that this is the ideal environment to have a targeted phishing attack. This means that an attacker will send an email pretending to be from a legitimate person known to you – either a colleague, client, or supplier - trying to trick you into providing sensitive details, or to allow them to compromise your account and send invoices out that divert payments to a criminal account.
  • Ransomware attacks: Regardless of the size of your business, you are also likely to have valuable data that is attractive to criminals, whether that be employees’ payroll data, contractual details of the next project to be worked on, or customer payment details. One type of attack is using ransomware, which blocks access to systems and networks, so devices become unusable, on top of encrypting all your data. The criminal then demands a payment to unencrypt the data and restore access. This will cause a shutdown of your business, as well as reputational damage with customers and partners. 

Top tips to protect your construction business

Although the construction industry has moved quickly to adapt to new ways of working more efficiently over recent years, it is fair to say that the focus on cyber security has lagged behind. Yet, with so many elements at risk – stored data, the supply chains, procurement processes – these all provide pressure points in their systems’ weaknesses. 

Understanding that cyber security is as important as the building projects you are working on, or wearing a hard hat on site, can mean the difference between being a cyber victim or successfully completing the work.  The good news is that there are simple steps that you can take to build up your resilience to a cyber-attack such as:

  • Back up your data regularly and keep it separate from main systems.
  • Use strong and unique passwords and avoid using the same one for multiple accounts. 
  • Enable two-factor authentication to make it impossible to get into an account with a password alone. 
  • Check all devices (including mobiles) have been installed with the latest software updates. 
  • Secure your Wi-Fi network.
  • Invest in cyber security training sessions for you and your staff so phishing emails can be recognised.
  • Keep auditing your security practices.

Access support from the Cyber Resilience Centre for Wales  

The National Cyber Security Centre (NCSC), which is the government organisation that provides advice and support for the public and private sector in how to avoid computer security threats, has recently issued new guidance which is specifically designed to help small and medium sized-construction businesses. The guide offers practical advice for each stage of construction, from design to handover, and sets out the common cyber threats the industry faces, and comes in Welsh and English language versions:

The Cyber Resilience Centre for Wales is there to support sole traders, micro-businesses and SMEs across the region. We offer free membership which will inform you of the current threats and simple steps to take to reduce your vulnerability to an attack. By becoming a member, you will have the opportunity to speak to one of the team about your own cyber security and concerns.


*Disclaimer: The content for this blog post has been supplied by the Cyber Resilience Centre for Wales and is independent of the FMB. Publication does not constitute endorsement or recommendation from the FMB.

Related topics