The new guidance, launched with the Chartered Institute of Building (CIOB), is aimed particularly at small and medium-sized firms.
According to government experts, the cyber threats facing the construction sector are so severe that firms should regard cyber security measures as essential as wearing hard hats on site.
Interserve, for example, was struck by a cyber-attack two years ago that was so severe – hackers stole details of current and former employees from the company database – that the company is still coming to terms with it. Interserve has refused to reveal any details, but it is understood that the implications are impeding the sale of Tilbury Douglas, the last remaining part of the group, post administration.
The new Cyber Security for Construction Businesses guide from the National Cyber Security Centre (NCSC) provides tailored, practical advice for the industry on how to protect their businesses and their building projects.
Construction businesses of all sizes are targets for cyber attackers because of the sensitive data they hold and high-value payments they handle, the NCSC said.
The guide offers practical advice for each stage of construction, from design to handover, and sets out the common cyber threats the industry faces, including from spear-phishing, ransomware and supply chain attacks.
Sarah Lyons, NCSC deputy director for economy and society resilience, said: “As construction firms adopt more digital ways of working, it’s vital they put protective measures in place to stay safe online – in the same way you’d wear a hard hat on site.
“That’s why we’ve launched the new Cyber Security for Construction Businesses guide to advise small and medium-sized businesses on how to keep their projects, data and devices secure.
“By following the recommended steps, businesses can significantly reduce their chances of falling victim to a cyber-attack and build strong foundations for their overall resilience.”
CIOB chief executive Caroline Gumble said: “The consequences of poor cyber security should not be underestimated. They can have a devastating impact on financial margins, the construction programme, business reputation, supply chain relationships, the built asset itself and, worst of all, people’s health and wellbeing. As such, managing data and digital communications channels is more important than ever.”
Construction minister Lee Rowley MP added: “Data and digital technology is helping to make the construction industry more productive, competitive and sustainable. However, with this new technology comes threats that businesses must be wary of and take action to defend themselves from. This guide provides firms with easy to follow, practical advice to improve resilience to online threats, which will help to ensure projects are delivered on time and securely.”
The new guidance is split into two parts: the first aimed at helping business owners and managers understand why cyber security matters, and the second aimed at advising staff responsible for IT equipment and services within construction companies on actions to take.
The advice outlines seven steps for boosting resilience, covering topics including creating strong passwords; backing up devices; how to avoid phishing attacks; collaborating with partners and suppliers; and preparing for and responding to incidents.
Last year, a survey of all types of businesses by the Department for Digital, Culture, Media & Sport found more than a third of micro (37%) and small businesses (39%) reported falling victim to a cyber security breach or cyber-attack in the previous year, with this increasing to 65% for medium-sized businesses.
For smaller construction businesses without dedicated IT staff, the NCSC’s Small Business Guide offers further advice on how to stay secure online, while larger organisations can find guidance in the 10 Steps to Cyber Security collection.
The guidance can be found at www.ncsc.gov.uk/guidance/cyber-security-for-construction-businesses