How Could my Construction Firm be at Risk of a Cyber-Attack?

Construction is booming in the West Midlands. It has been for a few years – for example, with the Grand Central development, and the £57 million redevelopment of Alexandra Stadium and is going to continue for a while. There are a host of major transformation programmes including the £1.9 billion Smithfield scheme planned to create 2,000 homes over the next 15 years, the Midland Metro Extension, the Friarsgate Development in Lichfield, and the M40/M42 Interchange SMART motorway.

Given the scale of these projects, each will have a lengthy and complex supply chain, which provides an increased number of potential points of entry for cybercriminals. As such, it’s now a good time to look at your construction firm’s cybersecurity and, in particular, anti-phishing measures as this is the primary and easiest form of cybercrime.

What is phishing?

Phishing, in its simplest form, is a cybercrime. It is where a target(s) is contacted via email, phone, or message (not just texts) by someone pretending to be a legitimate institution to obtain sensitive data. For example, passwords or card and banking details.

There are alternative terms to phishing that you might have heard instead e.g., vishing, smishing, spear phishing, and whaling. It’s not important which term you use rather it’s a case of ensuring that cybercriminals will try to trick you in multiple ways. They will also, sadly, use current events to make their phishing attacks seem more legitimate. We saw this with COVID-19.


How can phishing affect my construction firm?

The phishing attacks you face as a construction firm will be similar to those faced by businesses in other sectors but, within construction, phishing emails are a particularly prevalent form of phishing.

The emails will appear genuine, and usually appear to be sent from a familiar and/or reputable organisation. Typically, the email will instruct the recipient to take some sort of action: click a link or download a file. There will be some urgency behind the instruction – do it now! It may ask you to enter your email address or password so that they can access your systems as you.

If a message contains any of the following, think twice before clicking:

  • Urgency – the cyber criminal is attempting to make you panic so that you don’t think to stop and question the contents of the email.
  • Authority – this is intended to lull you into a false sense of security. The email will show as coming from your boss, a company who you work with regularly, or with information that only someone genuine should know.
  • Mimicry – these types of emails hide in plain sight by using your daily habits: click to review your calendar entry i.e., something you wouldn’t think twice about.
  • Curiosity – luring you with something interesting e.g., BREAKING NEWS!

How to respond if you think your construction firm has been the victim of a phishing attack

So, you’ve received an email and you’re suspicious. Here’s what you should do:

  • Stop – you don’t need to rush to do anything so take a few minutes to check the sender’s details.
  • Don’t click on anything until you feel confident – Google (or use any reputable search engine) to verify the contact details. Contact the company, using the trusted details, to ask if the email is genuine.
  • Consider turning on 2-Factor Authentication (2FA) to avoid account takeovers – this can be used on social media as well as a range of business software. If a new device attempts to log in or make changes, it’ll have to pass through another layer of security.


How to protect your construction business from a phishing attack

We’ve mentioned a few of the steps you can take before but it’s always helpful to have a recap.

  • Conduct regular training for your employees so they can recognise a phishing attack and respond accordingly. 
  • Ensure that your team know how to report a cybersecurity attack and that they feel comfortable raising issues with the senior members of the team.
  • Have a Cybersecurity policy that employees understand and is available to refer to, as needed.
  • Install the enterprise Outlook add-in for your team members, created by the National Cyber Security Centre, so they can directly report phishing emails.


How Cyber Safe is your Architectural, Design or Engineering Firm?

75% of businesses in the construction industry have been hit by cyber-attacks in the last year… how secure is your firm?

By answering just 15 simple questions about your business security, you can gain a better understanding of just how equipped you are to prevent a cyber attack or data breach.

Get your score…

It takes just 2 minutes, it’s completely free and you’ll receive your result instantly.

Click here to get your security score