Why construction isn't safe from data breaches

Lewis Chawko
Advised Solutions Manager
15 March 2021
4 minute read

Data security is a big challenge for businesses in this day and age. Unfortunately, smaller businesses and those in more traditional sectors tend to be guilty of underestimating the business risks posed by data breaches.

Time and time again we’re seeing the devastating effects of breaches on large multinational companies. While these are the stories that get the media limelight, they’re also the luckier companies that tend to recover due to their resources and access to specialist support. Lesser-known businesses facing similar situations are less likely to be so fortunate.

But it’s not all doom and gloom - there is hope in the form of solid information security risk management and cyber insurance. But because information security is such a broad-ranging topic, for the purposes of this article, we’re focusing on three common risks businesses in the construction industry face when it comes to their email security strategies.

Cybersecurity in construction

1. When project delivery is prioritised over cybersecurity

One of the biggest challenges for me is the fact that we’re expected to start our journey of building before the design is complete, which is kind of insane – you wouldn’t do that in any other world.

Wates Director, Steffan Battle

So, what happens when project delivery is prioritised over cybersecurity considerations?

Misdirected emails

Data breaches involving misdirected emails are the most common form of breach reported to the regulatory body the ICO. With strict timelines to adhere to, based at temporary on-site workplaces, employees are more prone to accidentally send BIM, CDE, or company privileged project data to the incorrect recipient.


Educate employees on the real ramifications of a misdirected email.

‘Tickbox training’ programmes (e.g. annual security training modules) can be a great first step, if you’re starting off a cybersecurity awareness drive, but they aren’t necessarily the most effective way to empower employees to understand their role in keeping company data secure. More regular training sessions with practical situational examples of real-life threats are more likely to create long-lasting behaviours that really do make a difference.

In short, the expediting of project deliverables should not be prioritised over building solid foundations when it comes to educating employees; and to do so would be a classic case of short-term versus long-term thinking. Make time for proper training around email usage and it’ll pay off in the long run (or at least cost you far less)!

2. Failing to prepare for the inevitable

While a week doesn’t go by without the media covering breaches in the tech, healthcare and aviation industries, construction doesn’t receive a proportional share of the limelight. This could falsely lull you into thinking it’s simply not affected.

Spear phishing

The majority of these cases start with spear phishing, which is just as big a threat to businesses in the construction industry. In fact, KnowBe4 recently said "construction has the highest percentage of "phishing-prone" employees." This was after data was collected from tests administered on employees before being informed of the experiment.

For this reason, it’s never really a case of "if" a company will be targeted, but "when" it will happen. Because spear phishing employs social engineering, it’s difficult to fully protect employees from falling prey. Yet because it’s disseminated by email, this can lead to businesses placing too much trust in secure email gateways and employee training to prevent spear phishing. Risky business, when breaches like this can result in fines, breach of contract, or litigation.


Employee training and software, no matter how good, cannot fully replace the expertise and understanding of trained IT and InfoSec professionals who are hired specially for their cybersecurity knowledge and understand how to put in place and maintain the right cybersecurity technology to aid them. Therefore it’s important to consider the talent you have in your cybersecurity arsenal.

Having said that, cybersecurity professionals aren’t foolproof and it’d be foolish to believe you can ever completely protect your business against cyber events. That’s why it’s so important to have the right level of cyber insurance in place.

3. Taking work ‘home’

A common problem: once an employee sends anything outside your IT infrastructure, there’s nothing you can do to protect it. As innocent as the circumstance may be - sending a presentation, spreadsheet or report to a personal email address either to work on from their personal device, or simply because they are proud of a piece of work and want to keep a record of it, they have - likely unknowingly - committed a data breach. This is a particular problem for businesses with a high churn rate, a big take-up of company devices and for those who grant access to company data to a large number of employees. All fairly common in the construction industry.


Educating employees is a starting point, as many may be unaware that even sending something to their personal email account constitutes a data breach. However, the typical ‘solution’ in the form of a periodic reminder email is unlikely to serve its purpose.

A further solution, which requires more investment, is to use machine learning software to detect data exfiltration and either block or prompt a window to pop up, asking the user to explain why they are sending company privileged data outside the organisation. This is likely to make an employee think twice before doing so and at the very least enables you to keep track of what’s being sent outside the organisation.

Concluding thoughts

In conclusion, making sure you have the right educational, technical specialist support and insurance in place to mitigate the risks of email insecurity is key to your business’s resilience.

The busier you are, the more data you’re handling (and have to lose) and the more likely you are to cut corners when it comes to putting in place best practice IT security measures in order to prioritise tight deadlines. We must remember that "people are the very first element of a pragmatic cybersecurity strategy" and construction businesses have a duty to empower them to do so to the best of their ability and to protect them.

Share this article

We've made buying insurance simple. Get started.

Related posts