The construction industry is undergoing a digital transformation, and construction companies have become an increasing target for cyberattacks.

Digital innovations, such as artificial intelligence (AI), and Building Information Modelling (BIM) can help ensure projects remain on time and under budget, but increasing digitalisation presents challenges as it increases the attack surface area for cyber hackers.

A 2024 GlobalData poll revealed that 73% of respondents said cybersecurity was either already disrupting their industry or would do so in the next 12 months. Despite this, according to the UK government’s Cyber Security Breaches Survey 2024, only 20% of construction firms have board members taking responsibility for cybersecurity.

Recent high-profile attacks on construction companies, such as the 2020 cyberattacks on UK-based BAM and Interserve, serve as a stark reminder that cyberattacks can have lasting operational and reputational impacts. Both targeted companies had recently built the Nightingale Hospitals, the temporary hospitals set up by NHS England for the Covid-19 pandemic. In a devastating year for high-profile cyberattacks on construction companies, Bouygues was also targeted by a cyberattack in 2020. It took all its information systems offline as a precautionary measure.

A rapid growth in data usage, and dispersed data from a mobile workforce across many locations increases vulnerability to cyberattacks. These challenges, alongside increased security threats—more complex ransomware, phishing attacks, and growing supply chain risks—mean that construction companies are under continual security pressure. Managing these challenges presents significant cost management issues, especially as the construction industry remains a high-volume, low-profit industry.

Construction vulnerabilities to cyberattacks

Construction companies’ supply chains are vulnerable to attack. The last few years have seen a series of supply chain attacks. In such attacks, rather than targeting a third-party vendor’s vulnerabilities as a way into another company’s network, attackers deliberately aim to exploit the trust that exists between legitimate organisations in normal business operations. Supply chain partners are often granted the right to use and manipulate areas of a company’s network, applications, or sensitive data. This means attackers only have to penetrate the third party’s defences to infiltrate the company’s system.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Cyberattacks are likely to exacerbate any financial difficulties due to time lost on projects, extortion, or regulatory fines. Cyberattackers who gain access to a company’s network may be able to steal and potentially sell intellectual property. Cyberattacks can also lead to data breaches and supply chain disruption. Any cyberattack is likely to cause financial damage and lasting reputational damage.

According to the UK government’s Cyber Security Breaches Survey 2023, just over one in ten businesses say they review the risks posed by their immediate suppliers (13%, vs. 11% of charities). More medium businesses (27%) and large businesses (55%) review immediate supplier risks. The latter result is up from 44% of large businesses in 2022.

A 2024 Q1 poll by GlobalData revealed that the most common cybersecurity attack concerns for companies are phishing and spear-phishing, ransomware, and ransomware attacks. According to data published in a 2022 report by Advisen, the most common construction cyber losses by type are unauthorised contact or disclosure, malicious data breaches, and ransomware. Despite only accounting for 10% of cyberattack losses, ransomware is a growing threat concern for construction companies.

Cybersecurity faces an AI challenge

The prospect of offensive attacks using AI is increasing cybersecurity budgets as organizations try to understand the impact of generative AI on their security. The construction sector is particularly vulnerable to cyberattacks because it is rapidly incorporating new technologies, resulting in a larger attack surface for hackers to exploit. The integration of AI increases this attack surface area due to novel attack routes such as prompt injection, model extraction, and dataset poisoning.

AI also offers multi-faceted defensive capabilities: many AI cybersecurity techniques involve supervised machine learning models trained on huge volumes of labeled attack datasets and intelligence, enabling them to identify a threat and respond to it swiftly. However, learning how to counter AI-led attacks will take time.

In January 2024, construction company Maire Tecnimont implemented the Vectra AI Platform, which is a network detection and response (NDR) solution that significantly improved its cyber-attack detection and response capabilities through artificial intelligence and machine learning. Vectra integration has led to a significant reduction in false positives and alert volume.

In April 2024, Accenture and Google Cloud announced an expansion of their global partnership to help businesses better protect critical assets against persistent cyber threats. Together, they are providing construction company Lendlease with cyber detection and response. capabilities that make use of Google Cloud’s generative AI.

What can construction companies do?

Policies such as zero-trust access, a security model that uses strict identity verification for every person or entity attempting to access an organization’s network resources, regardless of whether the person or entity is in the office, bound by the network perimeter, or accessing the network remotely, can drastically improve a company’s cybersecurity posture.

Due to the number of construction sites being worked on at any one time, it is essential to have a decentralised cyber policy during construction. A decentralised cybersecurity approach refers to a strategy that distributes cybersecurity measures across multiple locations, devices, and systems. In addition, secure supply chain management, companywide cybersecurity training, cyber insurance, and following government regulations will help to reduce the fallout from a cyberattack incident.

The European Commission, the US Securities and Exchange Commission (SEC), and the US Senate are stepping up regulatory efforts. The European Commission is expected to adopt draft regulations to establish a European cybersecurity certification scheme (ECCS). This will cover a broad range of IT products with security components such as smartphones, bank cards, and routers. A new standard proposed by the US Securities and Exchange Commission (SEC) in March 2022, effective December 18, 2023, requires public companies to disclose material cybersecurity incidents within four business days, along with periodic reports about their cyber-risk management plans. Therefore, companies with poor cybersecurity management are more likely to receive regulatory fines after data breaches or data privacy investigations.

Construction companies should view cybersecurity on an equal footing with physical security and ensure chief information security officers (CISOs) are on company boards. This will also help companies navigate increasing regulatory scrutiny. The bottom line is that cybersecurity attacks are inevitable, so construction companies looking to improve their cybersecurity must be proactive to remain resilient.