The construction industry isn’t typically associated with cyber risk—an ‘unseen’ risk in a world of physical work and tangible assets. But, with an increasing reliance on technology for communication and project delivery, construction companies may need to build themselves stronger cyber defences.

Author: Tracy Keep


The construction sector presents a lucrative target for cybercriminals looking to extort money, and is now one of the leading industries impacted by data security incidents.1

A common misconception is that because construction companies may not regularly deal with digital personal data, credit card details, and other sensitive information, they would not be prime targets for cyber-attacks. In addition, the construction industry has typically had limited regulation and guidance on cybersecurity, compared to other industries, but, this is changing.

The way companies operate has evolved considerably over the last decade—and so has cyber risk. Smartphones and tablets are widely used, email is a key form of communication with clients and suppliers, and cloud storage is increasingly used to store information—from contracts to CAD drawings. Intellectual property is hot property for cybercriminals, as is corporate banking information, financial accounts, and employee personal data.

So, if you wouldn’t leave a building site unsecured, why would you neglect to secure this vital data and information your company holds?

Cyber-attacks in construction—some examples

One of the main types of cyber-attack on construction companies is ransomware, when an attacker holds a computer system hostage and demands payment to restore access. Here are just a few examples of attacks in the last couple of years in the UK:

  • A major contractor operating in the UK suffered a ransomware attack on its computer systems network that impaired its operations, and required the restoration of its IT network.2
  • Hackers exploited a vulnerability in a construction services company’s website. By doing this, they were able to access the firm’s network and carryout a ransomware attack—encrypting the firm’s files and demanding payment to restore access.3
  • A UK infrastructure management company was hit by a cyber-attack from a ransomware group that leaked some of its data, including contracts, financial documents, confidential partnership agreements, and non-disclosure agreements.4

Another common cyber-attack to look out for is that of fraudulent wire transfers, where large sums of money can be moved out of an account, often due to social engineering (the use of deception to manipulate individuals into divulging sensitive information). Incidents can involve the receipt of false invoices, a request for information, or an email from someone claiming to be a supplier who has changed their bank details and is asking you to update your records for future payments. Human error is the most common reason for a cyber incident (across all industries), and this is a classic example.

Automation—friend and foe?

Moving from people to machinery, construction processes are now relying more and more on autonomous processes, which brings its own cyber risks. Right from the design stage, digital tools such as building information modelling (BIM) are being utilised, and technology is increasingly relied upon throughout the construction process, including 3D-printing, robotic brick-laying systems, or remote building monitoring.

While there are clear benefits to these processes in terms of efficiency and transparency, they can also expose a company to cyber risks if data security and privacy risk assessments are inadequate. One such risk is a distributed denial-of-service (DDoS) attack, whereby the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the internet. This can also lead to a malware/ransomware attack.

Cybersecurity through every link of the chain

Of course, cyber risk can be difficult to control on a construction site, with subcontractors and temporary staff from various companies adding to the potential cybersecurity vulnerabilities. It is therefore important for contractors to ask their sub-contractor partners to demonstrate sound cybersecurity practices in their tenders. Firms are more likely to entrust their data to supply chain partners who can demonstrate a strong commitment to cybersecurity.

However if a cyber incident occurs—and whoever is indirectly or directly responsible—it can cause extreme business disruption, financial loss and reputational damage, so businesses need to consider every link of the chain.

How Gallagher can help you strengthen your cyber resilience

We have a specialist cyber risk management practice here at Gallagher, that regularly runs cyber risk webinars to help businesses of all sizes and sectors manage their cyber risk.

You can book your place here for the next Gallagher Cyber Assist webinar, where our focus will be on how to better understand your organisation’s cyber risk, strengthen your digital defences, and position your company to secure adequate cyber insurance in a challenging cyber insurance market.

Or, to see all our recent and upcoming cyber webinars, click here, where you can select a topic and register to join or watch on demand.

Author Information


The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.