Construction remains to be a target sector for cyber criminals. The UK Government’s Cyber Security Breaches Survey for 2023 found that construction companies are one of the most likely to fall victim to cyber-facilitated fraud, whilst simultaneously being less likely to have controls and measures in place to prevent this.

For a trade that is meticulous around securing the safety of its workers and managing the physical risks that come alongside the job, there needs to be greater clarity around what construction businesses should be doing to reduce their online risks. A successful cyber-attack carries limitless financial, operational, and reputational challenges. Therefore, making the investment to understand the issue and implement the fundamental practices of good cyber security now can help to avoid or limit damage to the business later down the line.

Why are construction companies targeted?

The construction industry is targeted for the same assets as everybody else, which is money and sensitive data. However, having high cash flows and extensive connections between suppliers, sub-contractors, and other businesses, can make this sector appear as an easy target. Regardless of the size of the business, criminals can capitalize on the fact that these companies do not tend to work from a central base, and lots of business is conducted on personal devices across separate locations. This working style lends itself to phishing, and spear phishing in particular.

Spear phishing is a targeted attempt by criminals to trick somebody into revealing sensitive information or making a fraudulent payment. In construction, this could come via email, SMS, or phone, and appear as a legitimate request from a supplier or sub-contractor, asking for a payment that is due or requiring personal information. This sort of request could appear very normal, and if the criminal has done some background research about the company, it can be very legitimate and convincing. If a phishing attempt is successful, it has the potential to either take money directly, use personal information to phish somebody else in the network, or to install malware or ransomware on the company’s devices. Phishing is one way that companies are targeted but there are other areas where people need to be vigilant too. Ransomware, Business Email Compromise (BEC) and malware also pose a risk to construction firms.

How does a vulnerability assessment help?

When approaching cybersecurity as an issue, one of the best places to start is by assessing your current position and identifying any outstanding vulnerabilities. Investing in a vulnerability assessment is one way to do this. At the ECRC, in addition to our free resources and tools, we also offer several affordable services to help identify such vulnerabilities, at a cost that is affordable for many SMEs.

Our services are provided by students, who are employed on the Cyber Path talent pipeline. These local students are mentored and monitored by senior ethical hackers, facilitating first-hand training for those who may become the future leaders in the fight against cyber-crime. This not only makes their services more affordable than those provided by commercial companies, but by utilizing their skills you are supporting the next generation of cyber-talent. The various vulnerability assessments on offer are listed below.

Web Application Vulnerability and Threat Assessment:

This service assesses your website and web services against the top ten security risks, searching for weaknesses and vulnerabilities. Service reporting outlines any weaknesses in plain language, explaining what it means and providing guidance on how to improve.

Remote Cyber Vulnerability and Threat Assessment:

This involves reviewing your internet connection remotely, in the same way an attacker would. These are not penetration tests with the goal of complete system compromise and control, rather tests focused on identifying weaknesses that could be used by attackers to achieve those ends. Service reporting is then provided in plain language to explain the findings.

Internal Cyber Security Audit, Vulnerability and Threat Assessment:

This requires access to your internal network to simulate somebody who has gained illegitimate access. It will scan and review your internal networks and systems for elements including poorly maintained or designed systems, insecure Wi-Fi networks, insecure access controls, or opportunities to access sensitive data. Again, service reporting will describe what each weakness means, the risks associated, and guidance on how to fix them.

If you receive a troubling service report and choose to take remedial action, the ECRC partners with several cybersecurity companies who can help you to manage this, however there is no obligation to do so. The ECRC also offers Staff Awareness Training, which is a fantastic option to help educate workers and volunteers about the top cybersecurity risks online as well as how to work safely.

What should you do next?

Signing up as a free member of the ECRC ensures that your company is supported in making slight changes that have a fundamental impact on your cyber resilience. Once signed up, you will receive regular communications via email, designed to be informative and practical, helping you make behavioural changes in increments. Additionally, our website contains lots of useful information, as well as links to other free policing and NCSC resources designed to support you. The ECRC also attend and advertise regular in-person and online events that are happening across the region. Becoming a member means you will be made aware of any relevant events that are happening with details on how to register for them.

Furthermore, the NCSC has many tailored resources such as their ‘Cyber Security for Construction Businesses Guide, which detail the problems facing this sector, as well as what construction companies can do to protect themselves. Engaging with NCSC resources such as their Cyber Action Plan and Exercise in a Box can be another way to take stock of your current cybersecurity position and formulate a plan to improve it further.

If you are interested in vulnerability assessments or wish to chat about cyber resilience and how the ECRC can help you, please book a chat with us today!

Reporting a live cyber-attack 24/7:

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.

Reporting a cyber-attack which is not ongoing:

Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.

Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)