Cyber Security Guidance for the Construction Sector
The Cyber Resilience Centre are committed to supporting the growing construction sector in the North West by offering a range of affordable cybersecurity services and guidance.
The Cyber Resilience Centre works to support construction companies across Manchester, Liverpool, Chester, Preston and the whole of the North West.
According to the latest Cyber Readiness Report from insurer Hiscox, the Construction sector is the fifth most at-risk industry for a cyber attack.
The sector is made up of small and medium-sized companies and in the UK the sector contributes to 9% of the UK's GDP worth £117 billion per annum (according to FMB).
Hover over these boxes to learn more about the threats Construction firms face
Equipment is a target for thieves, both for resale and especially if they store sensitive data.
While some equipment you have may not be especially expensive to replace, the data stored on them could be very valuable to a cyber attacker.
IT equipment left or stored in vehicles or site office can be particularly vulnerable to opportunistic thieves.
Loss of Personal Data
You should think about how you store personal data on a construction site. The details of individuals and their emergency contacts and health and safety incident reports.
Remember that this information is personal and covered by data protection legislation and should be protected accordingly.
Do you have a system in place to receive, track and store electronic and paper-based documents?
This can be physical or digital (or a combination) and should control access to sensitive information, as well as maintain a ‘golden thread’ of information (quality and up-to-date information records throughout the asset lifecycle) that is critical to a project or business transaction.
Staff not Trained
The importance of - for example - wearing a hard hat, is self-explanatory. By contrast, explaining the danger of clicking on links within suspicious emails might be a harder sell,
Staff generally want to do the right thing, but not knowing why they’re being asked to do (or not do) something can seem like ‘security for its own sake’.
Not having a Cyber Risk Assessment
A risk assessment is a vital part of any construction project, and this should include cyber security risks (as well as the usual health and safety ones).
Conducting a cyber security risk assessment at the start of the project allows you to identify what cyber security risks your business might face, and to build in precautionary steps you can take.
On completion of the project, there may be installed building management systems (for example BMS, BACS, BEMS and IACS).
It is important that these systems are handed over to the client so that they can continue to secure the building and any digital-based systems it might contain.
Gary: Building Contractor
Gary has been a contractor for 15 years working across several sites and is often only in his home office for 2 days a week. He spends the rest of the time driving up and down the country visiting job sites and customers.
Gary often forgets to backup and update his work devices and leaves them on the passenger seat of his work truck.
Gary often reuses passwords to make life easier when logging into work accounts and refuses to use two-factor authentication because he finds it annoying.
Gary mixes his personal and work phone contacts when on the move and often saves client details in the notes app on his personal phone.
Gary uses any public wi-fi network he can find when on the road.
How can the Cyber Resilience Centre help you stay secure?
We can provide a range of affordable, professional cyber security services that help your construction firm assess, build and manage your cyber security capabilities, build confidence in your staff, understand your vulnerabilities and secure your business.
You can also download our Cyber Incident Response Pack, which contains documents to help support your business plan its response to a cyber incident.
As a construction firm, you will regularly store, manage, and oversee valuable data from your clients. You’re entrusted with sensitive business data, all construction professionals need to be aware of the latest cyber-related risks and cyber-attacks whilst working remotely or in the office.
We can perform a comprehensive review of publicly available information about your construction firm. This can help you learn what is being said about your company, what account details or passwords have been leaked or if there are any damaging news stories or social media posts.
It's important you test your IT system configuration with a vulnerability assessment, this assessment uses the same techniques used by hackers to ensure your company is not wide open to a cyber attack.
We have designed a Cyber Health Check to provide construction firms with a summary of their cyber risks through a self-assessment questionnaire and police-certified recommendations report and action plan.
A Simulated Phishing Exercise can help to raise your staff's awareness of phishing emails and guard your business against the growing trend of social-engineering threats. Training your employees so they know what a phishing attack looks like, means they are more likely to identify and report scams.