Hackers are aiming at this 'easy target'. Here's how to protect yourself

Guidance from the NCSC urges small businesses in construction to boost their cybersecurity as hackers see a tempting target.
Written by Danny Palmer, Senior Writer on

Construction firms are being offered tailored advice on how to protect themselves from cyberattacks and other online threats in new guidance from the National Cyber Security Centre (NCSC), the cybersecurity arm of intelligence agency GCHQ.

The new 'Cyber Security for Construction Businesses' guide is designed to provide practical advice to organisations in the construction industry on how to protect businesses and building projects from cyber threats.

The report warns that the construction industry faces threats from cyber criminals, ransomware gangs, malicious insiders and nation-state hacking operations.

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

"Recent high-profile cyberattacks against the construction industry illustrate how businesses of all sizes are being targeted by criminals," NCSC said. Construction businesses are seen by cyber criminals as an "easy target", the guide said, as many have high cashflows, while the extensive use of subcontractors and suppliers involving large numbers of high-value payments makes construction businesses an attractive target for spear phishing.

"As construction firms adopt more digital ways of working, it's vital they put protective measures in place to stay safe online – in the same way you'd wear a hard hat on site," said Sarah Lyons, NCSC director for economy and society resilience.

"By following the recommended steps, businesses can significantly reduce their chances of falling victim to a cyberattack and build strong foundations for their overall resilience," she added.

Guidance offered includes advice on securing office equipment from malware and other cyberattacks, including that IT equipment is kept up to date with the latest security patches, ensuring that only approved apps are downloaded and that there are controls around how USB sticks and other removable media are used, as well as controls around how IT equipment can be accessed by third parties and suppliers.

Other guidance includes avoiding the use of predictable passwords, changing default passwords, using multi-factor authentication across all important accounts and other techniques that can help businesses avoid falling victim to phishing emails and other cyberattacks.

Organisations should also make plans around incident response, including regularly updating offline backups and to establish plans on how they would deal with different cyberattacks, should they face them.

The NCSC suggests that construction firms can do this using their free 'Exercise in a Box' product, which provides businesses with a means of testing their resilience and preparedness based on real cyber-threat scenarios.

The guidance is designed to be easy to understand in order to provide the construction, building supply and related industries with information that can protect them from the most common cyberattacks. Senior members of the industry, as well as IT departments, are urged to take the opportunity to examine now they can improve their cybersecurity defences to help avoid becoming a victim.

"The consequences of poor cybersecurity should not be underestimated. They can have a devastating impact on financial margins, the construction programme, business reputation, supply chain relationships, the built asset itself and, worst of all, people's health and wellbeing. As such, managing data and digital communications channels is more important than ever," said Caroline Gumble, chief executive of the Chartered Institute of Building.

"This guide provides a timely opportunity to focus on the risks presented by cybercrime," she added.


Editorial standards