Building On Your Cyber Security Posture In The Construction Industry


The construction industry encompasses the literal building blocks of the world. Every single person has benefitted from the construction industry’s hard work, determination, and intelligence. Construction, even in its simplest form has been around since the Neolithic age, 12,000 years ago. Yet one of the biggest threats facing the industry has only been around for 30 years.

Cyber attacks are increasingly common across all industries, but recently the focus has shifted to construction, with companies like Bouygeus UK, Bam and Interserve all being hit in the last year. Yet the recent report by the Department for Digital, Culture, Media and Sport (DCMS) said that overall, the construction sector treats cyber security as a lesser business priority. Furthermore, only 20% of construction companies have a board member who is solely responsible for cyber security.

Any information that is of value to your business is of value to cyber criminals. Cyber criminals are well aware of organisations’ lack of focus on security, and are now turning their attention to the construction industry, looking to steal information such as financial information, personnel information, blueprints, architectural drawings via means of ransomware and double-extortion (where they demand you pay to get your information back and to stop them from selling the information).

Yet there is no silver bullet to stop these attacks. Many cyber security vendors will claim to be the one-stop shop to ensure your company’s safety in the cyber landscape, selling you thousands of pounds worth of equipment. But in the end, if the basics aren’t covered, thousands of pounds in equipment will get you nowhere.

The UK government identified this as an issue all across the UK and introduced the Cyber Essentials scheme in 2014. Cyber Essentials has been designed to help businesses of all sizes ensure that they have the necessary core controls in place to protect themselves against cyber attacks and comes in two forms – Cyber Essentials and Cyber Essentials Plus. The core technical controls for both consist of:

  • Firewalls
  • Secure Configuration
  • User Access Control
  • Malware Protection
  • Patch Management

The only difference between Cyber Essentials and Cyber Essentials Plus is that Plus is the audited version, ensuring that the information given is correct and true.

The benefits to the construction industry are two-fold. Firstly, it gives organisations the peace of mind that they have the basics in place so should they be targeted in a cyber attack, they have the necessary controls in place to fight against it and keep information secure. Secondly, more and more organisations in the supply chain are now requiring construction companies to have Cyber Essentials and without the certification, it could mean they lose out on contracts.

Cyber security should not be seen as an ‘insurance policy’, rather as a real business benefit that allows members of the board to see the value and effectiveness on an ongoing basis. Moving along the ‘cyber security maturity scale’ should be aspirational to organisations and brings them to fully understand where their shortcomings are.

If this article has resonated with you, please get in touch either on an informal or formal basis. Any discussions will be in full confidence with no commercial obligation. You can get me at or give me a call on 01423 425498.

Share this post