Cyberattacks and BIM – how to be prepared. By Chris Pottrell

There’s no doubt that the cybersecurity threat landscape is constantly evolving. Day by day, newer threat variants are emerging, as hackers and the technologies they use become more sophisticated and targeted. This is especially pertinent for construction as digitalisation and open data collaboration becomes the norm. However, research shows the sector still does not view the online threat seriously.

Why must construction prioritise cyber security and what do basic best practices look like?

A, perhaps unlikely, consequence of the pandemic is that it has accelerated the inevitable digital transformation of the construction sector faster than most had planned. At one time, it might have seemed impossible to see how the physical task of building and digitalisation could go hand-in-hand. Covid-19 changed all of this. In the absence of on-site capabilities, construction firms were quick to revert to new digital capabilities, such as 3D scanning, no-touch solutions, and remote inspection tools.


Engineers might have already been using BIM too, but the impetus of shutdowns propelled the sector to go beyond simple collaboration and see how this innovation can enable virtual hyper-collaboration to drive efficiency and productivity. This is seen as various studies point to BIM and digitalisation as a key enabler for construction growth in 2023.

But this shift also brings with it risk. Inherently, the increasing use of digital services and widespread reliance on technology, together with the growing interconnectivity between the construction supply chain and high value payments involved, are increasing the sector’s vulnerability to cyberattacks. Construction has, in fact, been named the fifth most at-risk industry for a cyberattack before even financial services. Yet it is still not doing enough to prevent being hit with just a quarter of firms committed to prioritising cyber risk.

But if BIM and other important digital step changes are to help increase efficiencies, productivity and profitability in construction, as intended, this must change.

Effective safety measures

Fortunately, there are some basic cyber defences that can help to protect any construction network:

1. Establish a culture of cybersecurity. On a day-to-day basis, employees, by their behaviour, are typically your greatest source of vulnerability. One of the biggest reasons for this is that they may be unaware of what they should and shouldn’t be doing.As a result, it’s vital that you take a proactive, ongoing approach to educating your entire workforce about cyber security threats and countermeasures. This should include regular cybersecurity training sessions. Your employees should understand how published information about your systems and operation can reveal potential vulnerabilities. And this goes for everyone – even those employees who are typically based on site and offline. After all, anyone who has access to your network is a potential threat. This should also be supported with specific rules for email, internet browsing, social networks and mobile devices based on a shared understanding of the underlying security risk.

2. Follow all the usual cybersecurity best practices. That means ensuring you have a firewall (used to create a buffer zone between your network and external networks) in place to block out any insecure or unnecessary websites and services, along with malware protection to block malicious emails and prevent malware being downloaded from websites. The good

news is that most popular operating systems now include a malware protection and a firewall, so it may simply be a case of switching this on or updating it. Alongside this, enforcing a strong password policy is one of the most effective ways of preventing brute force hacking attempts. You could also consider enforcing multi-factor authentication for every authorised user, and institute least-privilege security. Nobody needs full access to everything, and should one account become compromised it can help contain the damage. Equal focus should be given to ensuring the security credentials of suppliers as part of this. This should include auditing their cyber-security framework before and throughout a project as well as verifying they have proper cyber-liability insurance in case the worst happens.

3. Keep your IT equipment up-to-date. IT equipment (including computers, laptops, tablets and mobile phones) needs maintaining and servicing to ensure it works effectively and securely. This includes updating the software the equipment runs on and making sure all other installed software is always kept up to date with the latest versions. Although it sounds simplistic, failure to conduct these types of updates (a process known as patching) is a leading cause of breaches.

4. Monitor and analyse anomalies and attack patterns. Log everything – every transaction, every privileged login to the fintech platform, every failed password attempt. In most cases, this can be critical to not just detecting and addressing a breach before it escalates into something bigger, but pre-empting similar points of entry or system constraints. This should also cover subcontractors’ activities or negligence. Obviously, this can entail a lot of data for busy construction and engineering firms to deal with so it can be useful to use a machine-learning tools to monitor events and correlate these logs – but appoint someone responsible for receiving, reading, and following up on it.

5. Do not get complacent. If these measures are consistently in place, the good news is that the majority of standard cyberattacks are likely to be unsuccessful. However, that is not to say there is room for complacency – should your adversary have bespoke capabilities then they still may be able to find a way into your systems. With this in mind, it’s imperative to maintain a good understanding of what constitutes ‘normal’ activity on your network ensure a rapid response to even the slightest anomalies. As part of this, conduct pen tests (a simulated cyberattack) regularly; not only do systems become less secure if not maintained properly but attackers become more sophisticated. If you haven’t pen tested, or used an external expert to assess your defences, the reality is you won’t know what you don’t know.

Chris Pottrell is founder and MD of Nebula, a leading IT firm specialising in providing IT support, cyber security and cloud migration services to a range of SME business sectors throughout the UK. Headquartered in Bristol, with a number of additional facilities across the South West, Nebula is built with an expert leading team and has a nationwide presence.