Fortifying Construction—Cybersecurity Tips

Sep 21, 2023

Strengthening your cybersecurity has become increasingly important for any business but particularly so for construction firms.

Working frequently on remote sites, using a mix of contractors and subcontractors, and sending large sums of money through wire transfers can leave AEC firms open to a variety of cyber attacks.

Apart from funds and account details, there is also the risk of intellectual property being stolen with plans, designs, and other digital assets and valuable data held in various locations. 

Data breaches in the construction industry have increased by 800% from 2019–2021 according to the 2021 Data Breach Outlook Study by Kroll, a risk consulting firm. So now, more than ever, it is vitally important to ensure your AEC firm has the most robust cybersecurity framework to counter any threats.

These top cybersecurity tips for construction firms will help you stay ahead and win the arms race against hackers and other malicious data breaches.

1. Have Dedicated Cybersecurity Experts

Much the same as you would have a dedicated legal expert to handle any court cases that may arise, the same attitude should be applied to cybersecurity.

You wouldn't expect to make it up as you go along or simply watch a few YouTube videos and have a crack yourself if some complex legal case came up—this needs to be left to trained and qualified professionals.

The same is true for cybersecurity—there should be dedicated and trained personnel on hand to handle any issues of this nature,  whether it be from malware, viruses, data breaches, ransomware, or cyber attacks of any kind.

Further to that, all relevant members of the team should know who this point of contact for information and support is and how to get in touch with them.

Trying to find a solution when the cyber attack has already happened has been likened to trying to work out who to call when your house is on fire. If you take time to ask your neighbours or look it up online there will be significant damage done before the fire brigade ever gets there.

The same is true for cybersecurity where the response needs to be timely and well drilled.

All members of the team should have contact information for dedicated cybersecurity support in case they need to be alerted in an emergency.

2. Practice Responding to Data Breaches

Sticking with the fire metaphor, another way of preparing for this is with a practised routine that all employees follow—a fire drill, where everybody lines up outside and, in most cases, sneaks off to the pub or cafe when they realise it’s going to be a lengthy affair.

A cyber attack response drill should be just as much a fundamental component of the construction company's practices as preparations for a potential fire. Statistically, there would be more chance of a cyber attack than a fire anyway.

In this regard, employees should have a training exercise where they go through scenarios such as responding to suspicious emails and what the process would be, how to deal with a data breach and who would they contact, etc. Ideally, this should become almost like muscle memory and the employee will be able to react quickly and instinctively to any incoming threat.

3. Use Penetration Testing to Ensure Security is Robust

It is not enough to rely on compliance like some sort of bulletproof vest that will keep your construction firm safe from any and all threats in the cyber world. This is really just the bare minimum to be legally compliant and should not be viewed as making the AEC firm fully secure once compliance has been adhered to.

Systems need to be continually tested for weaknesses in order to find ways that security can be tightened. Penetration testing involves expert security analysts performing a simulated version of a cyber attack, attempting to gain access to your network and data using methods typically employed by real-life hackers.

Apart from testing all the avenues of approach from a digital or online perspective, checking if any systems are vulnerable, penetration testers will also test offline protocols by, for example, attempting to gain access to passwords by spoofing a phone call from an unauthorised help team. 

Any weakness that a real-life hacker could exploit can be identified by this method of security testing. Robust measures can then be put in place as a defence against cyber attacks to tighten up this entry point into the business. 

The expertise needed for this level of security testing would not be typically present among staff in the AEC firm itself and in-house training would not be suited to this but an IT solutions provider can provide the personnel as needed for the role, whilst giving a full run down on all operations and help with implementation of any security improvements.

4. Secure Wire Transfers

With contractors and subcontractors being paid large sums of money via wire transfers, this can present the opportunity for someone to insert themselves in between the two parties in this transaction and maliciously gain access to data, digital assets and any funds being transferred.

One way to secure wire transfers is to include a set of payment instructions that involves a phone call whereby a password or code is gained in order to verify the user. Using secure cloud storage and virtual workstations with encryption is another method that can limit the threat of a data breach.

5. Train Employees in Cybersecurity Awareness  

Training all members of staff in basic cybersecurity practices is vitally important to ensure all elements of your construction business stay protected from cyber threats.

This includes online and offline protocols with regard to passwords, accounts, data storage and interactions with customers, vendors and subcontractors. With such a varied pool of personnel and on-site working in various locations, this opens the door to any potential hackers looking to acquire digital assets and data. 

For this reason, it is crucial to have a basic level of competency in cyber threats as the hackers will not target the trained IT expert in the construction firm, they will look for a weak link and exploit that entry point.

This could be something as simple as a sales agent or reception worker providing the wrong details to a maintenance team or customer who turns out to be a malicious actor looking to gain access to the network or acquire sensitive or financial data.

The police in Northern Ireland and more recently in Manchester were recently targeted by these types of cyberattacks so no organisation or business entity should become complacent and feel that they are somehow immune to cyberattacks simply because they are compliant with regulations. Constant vigilance is required from dedicated professionals with a specific remit for cybersecurity.

6. Utilise an IT Solutions Provider

One of the best ways to mitigate the risks associated with cybersecurity is to employ an IT solutions provider who includes cybersecurity within their services.

At Lyon, we offer all the systems and personnel needed to facilitate a robust defence against cyber threats and can provide solutions to cover all of the key areas outlined previously. We provide 

  • Encrypted data storage and remote desktops for secure payments and remote working
  • Full cyber security awareness training for all employees 
  • Specialist ethical hackers to carry out penetration testing and checking for vulnerabilities
  • Dedicated cyber security response teams are on hand 24/7 to rapidly deal with any threats
  • Auditing of all cyber security frameworks across all operations 
  • Advice on the implementation and installation of all security measures


Contact us to find out more about how construction companies can protect their business with the help of dedicated cybersecurity teams and how this will integrate with your existing procedures.