Cyber Security in the Built Environment: Protecting projects, data, and digital assets

Cyber Security in the Built Environment: Protecting projects, data, and digital assets

1. Why cyber security matters in construction
   • What do cyber incidents cost construction firms?
   • Aim and Scope
   • Proportionality and risk
2. Understanding cyber security basics
   • What is cyber security?
   • Cyber security vs IT security
   • The construction sector’s unique cyber risk profile
3. The current threat landscape
   • Ransomware
   • Phishing emails
   • Business email compromise (BEC)
   • Dark web and credential theft
   • Insider threats
   • Supply chain vulnerabilities
   • Assessing threats: ease, likelihood, and impact
   • Secondary impacts of cyber incidents
   • Real-world examples: cyber incidents and their impacts
4. Core defence measures
   • Cyber Essentials (and Cyber Essentials Plus)
   • Strong authentication and access control
   • Defences against phishing and BEC
   • Data and device protection
   • Backup strategy
   • Dark web monitoring
   • Supply chain security
     • Cyber Security checklist for construction projects
   • Site-specific measures
   • Quick wins
   • Measuring effectiveness
   • Common pitfalls to avoid
5. Building cyber awareness and culture
   • Staff cyber security training
   • Phishing simulations and practical exercises
   • Embedding a ‘report, don’t blame’ culture
   • Creating and using a clear cyber security policy
     • A simple cyber security policy: what to include
   • Leadership and culture
   • Measuring awareness and culture
   • Common pitfalls to avoid
6. Testing, monitoring and continuous improvement
   • Penetration testing
   • Vulnerability scanning versus pen testing
   • Security Operations Centres (SOCs)
   • Centralised logging and visibility
   • Regular audits and reviews
   • Continuous improvement
   • Measuring success
   • Common pitfalls to avoid
7. Responding to incidents and recovering quickly
   • Preparing for incidents: incident response planning
   • Incident response in practice
   • Disaster recovery and DRaaS
   • Legal, regulatory and communications considerations
   • Post-incident review and learning
   • Common pitfalls to avoid
8. Building a sustainable cyber security strategy
   • Making the business case for cyber security
   • Building a practical cyber security roadmap
   • In-house vs outsourced cyber security: choosing the right model
   • Using external support effectively
   • What makes a strategy sustainable
   • Common strategic pitfalls to avoid
   • Senior management checklist: building and maintaining cyber security
9. Conclusion and next steps
   • A practical action plan
   • Embedding cyber security into everyday business

References

Further reading

Matt Thompson is a freelance writer working in the UK’s construction industry, mainly for professional institutions, such as CIOB, RIBA and RICS.

He produces targeted content to meet organisational  objectives; and has authored many publications, including the Guide to the DfMA Overlay to the RIBA Plan of Work (2021), PAS 8671:2022 (the competence framework for individual Principal Designers under the Building Safety Act), and Handbook of Practice Management (2024). He is editor of the CIOB’s Construction Client Guide: Leading Projects in the Built Environment, Second Edition (2025).

Special thanks to Adrian Bell from LoughTec for providing the information on this topic.