Hackers are aiming at this 'easy target'. Here's how to protect yourself

Construction firms are being offered tailored advice on how to protect themselves from cyberattacks and other online threats in new guidance from the National Cyber Security Centre (NCSC), the cybersecurity arm of intelligence agency GCHQ.

The new 'Cyber Security for Construction Businesses' guide is designed to provide practical advice to organisations in the construction industry on how to protect businesses and building projects from cyber threats.

The report warns that the construction industry faces threats from cyber criminals, ransomware gangs, malicious insiders and nation-state hacking operations.

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

"Recent high-profile cyberattacks against the construction industry illustrate how businesses of all sizes are being targeted by criminals," NCSC said. Construction businesses are seen by cyber criminals as an "easy target", the guide said, as many have high cashflows, while the extensive use of subcontractors and suppliers involving large numbers of high-value payments makes construction businesses an attractive target for spear phishing.

"As construction firms adopt more digital ways of working, it's vital they put protective measures in place to stay safe online – in the same way you'd wear a hard hat on site," said Sarah Lyons, NCSC director for economy and society resilience.

"By following the recommended steps, businesses can significantly reduce their chances of falling victim to a cyberattack and build strong foundations for their overall resilience," she added.

Guidance offered includes advice on securing office equipment from malware and other cyberattacks, including that IT equipment is kept up to date with the latest security patches, ensuring that only approved apps are downloaded and that there are controls around how USB sticks and other removable media are used, as well as controls around how IT equipment can be accessed by third parties and suppliers.

Other guidance includes avoiding the use of predictable passwords, changing default passwords, using multi-factor authentication across all important accounts and other techniques that can help businesses avoid falling victim to phishing emails and other cyberattacks.

Organisations should also make plans around incident response, including regularly updating offline backups and to establish plans on how they would deal with different cyberattacks, should they face them.

The NCSC suggests that construction firms can do this using their free 'Exercise in a Box' product, which provides businesses with a means of testing their resilience and preparedness based on real cyber-threat scenarios.

The guidance is designed to be easy to understand in order to provide the construction, building supply and related industries with information that can protect them from the most common cyberattacks. Senior members of the industry, as well as IT departments, are urged to take the opportunity to examine now they can improve their cybersecurity defences to help avoid becoming a victim.

"The consequences of poor cybersecurity should not be underestimated. They can have a devastating impact on financial margins, the construction programme, business reputation, supply chain relationships, the built asset itself and, worst of all, people's health and wellbeing. As such, managing data and digital communications channels is more important than ever," said Caroline Gumble, chief executive of the Chartered Institute of Building.

"This guide provides a timely opportunity to focus on the risks presented by cybercrime," she added.

MORE ON CYBERSECURITY

• UK security centre urges companies to boost their defences after cyberattacks on Ukraine
• Cybersecurity: 11 steps to take as threat levels increase
• Bosses are reluctant to spend money on cybersecurity. Then they get hacked
• This company was hit with ransomware, but didn't have to pay up. Here's how they did it
• Cybersecurity: Many managers just don't want to understand the risks