Three cyber security slip-ups that could cost you business

17 January 2019

A construction risk assessment is not complete without a full digital review

Is your company’s digital security up to scratch? If it’s not you could be losing out on business as a result. Global cyber-crime is on the increase, and project owners are becoming more selective about potential construction partners, opting for risk aware companies that tackle the threat head on.

Online crimes affect 15% of construction businesses – about one in six companies. Some 71% of cases arise from computer viruses and 10% from malicious hacking *1. 

While a construction site risk assessment is ‘de rigueur’ for contractors, owners and developers, companies must now factor in effective cyber risk management regimes too.

These measures will go far to reassure financiers, win clients and retain business. Construction risk managers must prove they are tackling data breaches and ransom ware attacks as well as eradicating human error and more.

Effective construction insurance is no longer enough. During initial meetings, contractors can now expect to be asked questions - and provide proof of - how their sensitive information is stored and managed.

Processes under the spotlight include:

  • Designing and assessing projects.
  • Completing and managing a build.
  • Providing employers, clients and supply chain companies with access to ideas, internal data and sensitive project-related information.

Construction companies, though, have been slow to buy in to the ‘new normal’; official figures paint a worrying picture regarding the safe use of digital systems and networks.

Data security: How UK contractors are lagging behind their peers

Almost half of UK businesses (46%) identified at least one cyber security breach in 2017, according to the Department for Digital, Culture, Media and Sport’s (DCMS) cyber security breaches survey *2. This figure rose to two thirds (68%) among large companies.

Despite the targeting of their sector detailed in the UK Home Office figures, construction firms’ responses to the DCMS survey indicate a more relaxed attitude to the threat:

  • Senior managers in the construction industry are less likely to view cyber security as a high priority than the all-sector average.
  • About 41% of construction companies never update senior management on cyber security.
  • Only 35% of construction sector respondents reported that their core staff takes cyber security seriously at work.

The cost of poor digital security

Containing cyber threats is a crucial form of construction risk management, regardless of whether a company is engaged in tendering or bidding for work.

Digital attacks result in significant financial liabilities. The average cost to large companies of a single security breach in 2018 was £2.7m, according to a report by technology giant, IBM *3.

Heavy penalties can result from infringements of the EU’s General Data Protection Regulation (GDPR). The GDPR, which came into force in May 2018, introduced “effective, proportionate and dissuasive” administrative fines of up to 4% of annual global turnover or €20 million; whichever is greater.

A high profile data breach could cost a firm dear in terms of reputational damage. Reduced share prices have been reported, too.

Sign up to our latest news & insights

Why have cyber criminals started attacking construction companies?

Construction is becoming a major cyber-crime target for organised criminal gangs, who are ‘diversifying’ out of drug smuggling and other high risk activities. State-sponsored cyber-crime, by less technologically advanced countries, is a threat too.

Construction is a valuable part of the British economy: The value of all new work reached £109,387 million in 2017, the highest since records began in 1997 *4.

While traditionally a low tech industry sector, it has seen an increase in digitisation. But often, this comes without a commensurate improvement in digital security, making it a hot prospect for cyber criminals.

Read more about the nature of the cyber threat in Cyber Risks for Construction and Facilities Management Contractors.

Cyber security: How to get started

To up their game, tighten security and woo investors, contractors and developers need to understand the digital element of construction risk.

Spear phishing, WannaCry, NotPetya, Meltdown, Spectre… The digital threat is characterised by nebulous perils and unfamiliar terminology. It is difficult to comprehend in a traditional risk management sense. Limited understanding is no surprise in the face of a multi-faceted, constantly evolving threat.

Many contractors and developers partner with a construction insurance broker who is able to decode the jargon and who understands cyber risk and the ways it affects contractors and developers.

As a starting point, focus on the following three areas:

1. Protect your trade secrets

For companies who undertake design and/or construct activities, items such as designs, blueprints, formulas and equipment specifications are often considered prized intellectual property, especially by nations with less advanced engineering capabilities.

In construction, a lot of data and information is generated in design. The advancement to Level 2 Building Information Modelling (BIM) introduces an additional level of cyber vulnerability, as does the move towards similar technology globally. BIM is a digital representation of physical and functional characteristics of a facility and is effectively an enabler towards a more digital, data driven industry.

Level 2 BIM promotes sharing, analysis and reuse of information by multiple parties to a construction project across its life cycle. While a huge technological leap, it opens up data security issues within the industry.

Employees might have mobile access to confidential information such as architectural or engineering drawings, intellectual property and financial business information (among other things).

Unintentional staff mistakes, such as remotely accessing data via a non-secure network, can have costly consequences for a business.

Level 3 BIM will further increase connectivity. The creation of international ‘Open Data’ standards to enable easy sharing of data is one of the key measures outlined in the government's BIM Level 3 Strategic Plan.

2. Monitor your supply chain and other connections

Digitisation brings expanded networks. And supply chain partners bring their own set of digital risks. Even if a contractor employs cutting edge cyber security, it could be vulnerable to breaches within smaller, less cyber-secure companies further down its supply chain.

In a connected world, a company is only as strong as its weakest link. As contractors embrace a more mobile workforce, the concept of a network perimeter has changed dramatically. Networks that conventionally had defined borders and limited demarcation points are expanding.

Increased complexities in business delivery channels mean companies need to be aware of not only what is happening within their network, but also have visibility of vendor connection points, mobile endpoints, subsidiary organisations and other interconnections.

3. Deflect ransom ware attacks

It’s not just the theft of trade secrets that might lead to an exposure. The ever-increasing reliance on technology makes businesses vulnerable to attack, unauthorised access, intrusion, destruction and extortion.

This does not need to be as drastic as a terrorist hacking the network for reconnaissance on building plans (though this might be an exposure). There has been a growth in business disruption attacks where the attackers are not motivated to steal data, but rather to damage core business processes.

What if the hacker shut down a company’s lighting or air conditioning? Workplace legislation in many countries would mean that the building(s) would be uninhabitable and a business might suffer an interruption or an increase in the cost of working until the problem could be resolved.

How can I protect my company?

Risk management: Cyber-crime is a complex risk that needs specialist considerations. Work with your broker and other advisors to quantify risk and develop robust policies that put your company demonstrably ahead of its competition.

Insurance coverage: Human error means that even the most robust cyber processes could fail. Should the worst happen, a cyber liability policy can cover a wide range of exposures, including failure to protect confidential corporate information or an individual’s identifiable information - even when the data is stored in paper files.

Make construction insurance and risk management work harder for your company 


For more information about all aspects of cyber risk management for contractors, contact Peter Chesterfield on +44 (0)20 7528 4069. 



*1 Home Office: Commercial Victimisation Survey, 2016
*2 Department for Digital, Culture, Media and Sport: Cyber Security Breaches Survey, 2017
*3 IBM / Ponemon Institute: 2018
*4 Office for National Statistics: Construction Statistics: Number 19, 2018 edition