top of page

Cement your cyber security in 7 steps

In the West Midlands region, there are 219,395 registered businesses according to the National Office for Statistics. Of those businesses, 26,175 are construction firms with 3030 being involved in the development of building projects, 4630 being in the construction of residential and non-residential buildings and 378 being in electrical installation.

Here at the Cyber Resilience Centre for the West Midlands (WMCRC), we are working to support one-man bands to large scale organisations within the Construction industry via our FREE core membership. This has been designed to help you avoid becoming a victim of a devastating cyber-attack. Whether you’re looking to learn more about how cybercriminals can target your business or whether you’re looking for a simple checklist to help you cover the basics, we have got you covered.

The National Cyber Security Centre recently published a cyber security guide for the Construction industry which featured these top tips:

Step 1 - Back Up Your Data

Think about how much you rely on your business-critical data, such as project plans, CAD models, customer details, quotes, orders, and payment details. Now imagine how long you would be able to operate without them.

It’s important to keep a backup copy of this essential information in case something happens to your IT equipment, or your business premises. There could be an accident (such as fire, flood, or loss), you could have equipment stolen, or ransomware (or other malware) could damage, delete, or lock your data.

You should also:

  • Identify what you need to back up

  • Keep your backup separate from your computer

  • Make backing up part of everyday business

Step 2 – Protect your office equipment from malware

Malware is malicious software, which - if able to run - can cause harm in many ways, including causing a device to become locked or unusable, stealing, deleting or encrypting data, taking control of your devices to attack other businesses, obtaining login details which can be used to access your businesses (or services that you use) and using services that may cost you money (e.g. premium rate phone calls).

To further protect your office equipment from malware, you should:

  • Turn on antivirus software

  • Only download approved apps

  • Keep your IT equipment up to date

  • Switch on encryption

  • Control how USB sticks/removeable media are used

  • Manage how your IT equipment is accessed by third parties

Step 3 – Keep your phones and tablets safe

Mobile technology is now an essential part of a construction business, with more and more being used on construction sites and on the move, storing increasing amounts of important data. What’s more, these devices are now as powerful as traditional computers, and because they often leave the safety of the office (and home), they need even more protection than desktop equipment.

  • Don’t leave your phone (or tablet) unlocked

  • Make sure lost or stolen devices can be tracked, locked or wiped

  • Keep devices and apps up to date

  • Take care when connecting to public Wi-Fi hotspots

Step 4 – Use passwords to protect your data

Your laptops, computers, tablets and phones will contain a lot of your own business-critical data, the personal information of your customers, contractors, suppliers, and also details of the online accounts that you access. Passwords - when implemented correctly - are a free, easy and usually effective way to prevent unauthorised people accessing your devices.

The NCSC has some useful advice on how to choose a non-predictable password that you can remember:

  • Remember to switch on password protection

  • Avoid using predictable passwords

  • Use two-factor authentication

  • Look after your passwords

  • Change all default passwords

Step 5 – Reel in the phishing

Phishing’ is when criminals use scam emails, SMS or chat messages, phone calls or social media to trick their victims. Their goal is often to convince you to click a link or open an attachment. Once clicked (or opened), malware may be installed via a dodgy website you have been sent to, or via the attachment you have opened. Over the phone, the approach may be more direct, asking you for sensitive information, such as banking details.

  • Report scam emails, texts and websites to the NCSC

  • Make yourself a harder target

  • Think about how you operate

  • Check for the obvious signs of phishing (Authority, Urgency, Emotion, Scarcity and Current events)

Step 6 – Collaborate with suppliers and partners

Construction businesses rely upon suppliers to deliver materials, machinery, labour, and digital information (such as specifications and designs). Even for smaller businesses, your supply chain can quickly become large and complex, involving extensive use of sub-contractors and suppliers with a high degree of payments flowing to and from businesses.

Then there’s the less-obvious organisations that you rely on. For example, the provider of your email service, or the company behind the accounting software you use.

Cyber-attacks on your suppliers can be just as damaging as an attack on your own business.

This is why it’s important to employ cyber security when collaborating with suppliers and partners. You may be targeted as a way into the organisation you are supplying. This is very common in the construction industry, as you might already be working with organisations that the attacker wants to access through you.

  • Understanding your supply chain

  • Consider the implications if your supplier is attacked

Step 7 - Preparing for (and responding to) cyber incidents

When something unexpected happens, such as a cyber incident, it can be difficult to know how to react. Naturally, you will want to resolve the problem as quickly as possible so you can resume business quickly. Malware (and especially ransomware) is becoming increasingly common in the construction industry, so it’s essential to be prepared.

  • Prepare for incidents

  • Identify if you’re being attacked

  • Resolve the incident

  • learn from the incident

Need more support?

If you are looking for more support to make sure you’re on the right path, talk to us directly and let us help you to build the foundations for your cyber security today.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.


The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page