Skip to main content


Getting Concrete about Cyber: Mitigating Risks for Construction

Find out the risks, challenges, and opportunities of technological advancement in the built environment.
Smart teem of engineers working on a laptop on a construction site

The rapid uptake of digitalisation, autonomous machinery, and intertwined supply networks means that today’s building site is a technology-reliant environment. It also means that like many other sectors embracing new technologies and digital services, the construction industry continues to be challenged by cyber threats.

Despite significant progress in cybersecurity protocols in the UK — and Marsh data shows that cyber insurance take-up rates have steadily increased in the last several years — the cyber threat landscape is continually evolving. Cyber risks are frequently cited as a top concern for businesses and the construction industry continues to be one of the most targeted sectors in the UK by online attackers. For a multinational firm or small contractor, the risk of damage, loss, and disruption is still high, as cyber-crime is increasingly complex. For the construction industry, it’s no longer a question of whether the threat is real, but rather how resilient your business is and whether you have the right mitigation and transfer strategies.

What are the risks?

There are several reasons why the construction industry may be more susceptible to cyber threats, including the following:

  • Rapid digitalisation
    The construction industry is rapidly digitalising, with technology being used for project modelling and daily operations. However, the pace of digitalisation may have occurred faster than the rate of security improvements.
  • Autonomous and robotic machinery
    Machine learning, autonomous machinery, drones, and robots are revolutionising the industry, helping to solve labour, safety, and sustainability issues. Yet, this has also led to new exposures for which the sector needs to be prepared.
  • Numerous building blocks
    A typical construction project involves several collaborative entities, including subcontractors and suppliers. Each additional third party introduces a potential entry point for a cyberattack.
  • Transient workforce
    A common characteristic of the industry is its reliance on subcontractors and transient labour forces, which presents further entry points for cyberattackers. Vetting and training those accessing data and business critical information can be challenging.

In addition to these specific factors, the nature of cyber risk is also changing, with increased vulnerabilities from new technology, geopolitical tensions, and increased regulation and penalties (such as global data security laws). While many larger construction firms have invested in good cyber controls, other smaller operators or contractors still need to. And, even with improved cybersecurity measures, the risk of damage is still high given that cybercrime is becoming increasingly sophisticated and persistent.

Examples of cyber risk scenarios facing construction companies

  • Ransomware attack can disrupt operations and result in costly downtime.
    A construction company's computer systems are infected with ransomware, which encrypts all data and demands payment in exchange for a decryption key. This could result in costly downtime and potentially loss of critical project information.
  • Data theft of sensitive data such as blueprints, financial records, and employee information.
    A hacker gains access to a construction company's network and steals sensitive data. This could result in significant financial losses and reputational damage.
  • Phishing scam can compromise employee credentials and provide access to internal systems.
    An employee of a construction company falls for a phishing email and unwittingly gives their login credentials to a hacker. The hacker is then able to gain access to the company's network and potentially steal sensitive information or cause damage to computer systems.
  • Control system breach.
    A hacker gains unauthorised access to a construction company's building automation and security systems, which controls lighting, heating, ventilation, and access control. This could result in physical damage or injury if the systems are tampered with.
  • Third-party vendor risk, where contractors or subcontractors may have access to company systems and data.
    A contractor or subcontractor working on a construction project for a company has weak cybersecurity practices and is hacked, resulting in the exposure of sensitive company data. This could lead to reputational damage for both the company and the contractor/subcontractor.

Strategies for prevention

To benefit from the wealth of opportunities digitalisation presents, construction organisations need to invest time, money, and training into reducing new risks.

While cyber risk cannot be eliminated, it must be managed. Fortunately, there are many ways in which organisations can build resilience into their business, people, and strategy that can reduce the likelihood and impact of a cyberattack. Marsh recommends that companies consider implementing a double-pronged approach that incorporates a comprehensive risk management programme and insurance:

  • Establish a comprehensive cyber risk management plan including regular risk assessments, employee training, proper controls, and working with trusted vendors and suppliers.
  • Seek advice on incorporating cyber insurance into your overall risk transfer strategy. General construction and business insurance policies do not typically include coverage for cyber incidents, but cyber insurance can provide critical financial support and access to cybersecurity expertise during an incident.

By implementing these strategies and maintaining a strong cybersecurity posture, construction companies can reduce the risk of cyber incidents and protect their sensitive data, operations, and reputation. It is important to regularly review and update cybersecurity measures to adapt to evolving threats and technologies.

Taking advantage of disrupted opportunities

Infrastructure spending is expected to remain robust in the UK, supported by both ongoing and planned projects, and significant investment combating ageing infrastructure to meet decarbonisation requirements. Leveraging digital and technology innovations will support the sector’s growth while also helping the industry shift to more efficient, smarter, and sustainable buildings.

To take advantage of this growth and new opportunities, it is imperative that organisations proactively bolster themselves against cyber risks, particularly given the sector’s inherent vulnerabilities in this space. The two-tiered approach for managing cyber risks is a good starting point. Having a comprehensive cyber risk insurance programme in place, complemented by a risk management programme, has never been more important to help organisations appropriately manage any risk that may arise.

For further discussion about cyber risks and the potential opportunities for your business, please contact your Marsh representative.