Cyber incidents are leading to delays in UK construction projects… in the first of this six-part series, our Head of Customer Success, Chris Yates, explains more about the Cyber Security challenges within the construction industry.Â
CY: Just last week I shared something that resonated with many in my network, cyber incidents are leading to delays in UK construction projects. Not a theory. Not next year. Now.
Sites stood ready. Paid subcontractors to stand around. Programme dates are slipping. client confidence getting a hit. Insurers are asking tougher questions than ever. And here is the part that I think is truly new: cyber has crossed over from an IT cost-line into a delivery risk. The same sort of risk you would already plan for with things like weather, ground conditions, supply chain or labour.
If you are a COO, CIO or Operations Director in construction, this is now your problem too, not just the IT team’s.
What’s Actually Changed in Construction
In the last 18 months, three things have changed.
First, the attackers have identified construction as a soft target and a hard deadline. You run distributed sites. You have a huge ecosystem of suppliers. You depend on connected machines, BIM environments, cloud-based design files and mobile workforces. Attackers know that when a contractor can’t operate, the pressure to pay or capitulate is enormous.
Second, the attack surface is the supply chain. Most construction companies aren’t hacked directly. They are breached via a smaller supplier, a design partner or a temporary site system that no one is watching. The bigger the project, the longer the chain, the more places risk can be lurking.
Third, the clients and the insurers have woken up. Evidence of security posture is now required from Tier 1 contractors for pre-qualification. Insurers are restricting cyber exclusions. Minimum standards are tightening in public sector frameworks. The bar has been moved.
All in all, that means cyber is no longer something you can park with the IT team and hope it stays quiet. Now it’s in the delivery conversation.
Why the “It’s an IT Problem” Framing Fails You
I speak with construction leaders weekly and the most common stance I hear is some version of: “We have an IT provider. They look after it.”
I see why. You had enough to worry about. You have a business to run. Cyber is technical, scary and easy to outsource.
But here’s the rub. “When a cyber event takes a site down, it’s no longer a technical discussion. It works. It’s commercial. “That’s contractual. It’s about standing. And by the time it arrives on the COO’s desk, it’s a crisis, not a project.
Three uncomfortable patterns we see again and again:
- Cyber budget exists, but cyber outcomes don’t. Money has been spent on tools, but nobody can clearly answer the question: “If we got hit tomorrow, how long would we be offline?”
- Security is reactive, not continuous. A pen test was done two years ago. A policy was written. A box was ticked. Nothing has been continuously improved since.
- The supply chain isn’t included. Internal IT is reasonably tight, but suppliers and joint venture partners are a black box. That’s exactly where the next incident is going to come from.
If any of those sound familiar, you’re not behind, you’re normal. But ‘normal’ is no longer good enough in this sector.
A Better Way to Think About It: CyberAscend
At D2NA we’ve built our approach to cyber security around a simple idea: most organisations don’t need more tools. They need a clearer way of continuously knowing where they stand and what to do next.
That’s why we created CyberAscend, a framework that turns cyber security from a one-off project into a continuous capability. It’s the DNA of how we design and deliver every service, from penetration testing to our CREST-accredited Security Operations Centre.
CyberAscend has five interconnected stages:
- Initiate – We start by understanding your business, your goals, and what truly matters to you. Cyber security is aligned with organisational outcomes from day one, not bolted on as an afterthought.
- Discover – We identify the risks, vulnerabilities and gaps across people, processes and technology. You get a clear, honest view of where you are today and the roadmap to get to where you need to be.
- Remediate – This is where implementation really begins. We strengthen the weaknesses, evidence the improvements to stakeholders, and lay out what’s next to keep raising your posture.
- Confirm – We don’t implement and walk away. We stay engaged to understand how remediation is progressing, verify it’s meeting expectations, and watch the wider impact across the organisation.
- Continue – Cyber security is never “done.” Threats, regulations and your business itself never stop changing. We help you continuously review, adapt and improve so you stay resilient.
It’s deliberately simple. It’s deliberately not a 47-step compliance checklist. Because in construction, what works isn’t more complexity, it’s a rhythm you can actually run.
What This Looks Like in a Construction Business
Let me make this concrete.
Initiate might mean us sitting down with your operations and IT leadership to map your highest-risk programmes, your most critical sites and systems, your supplier dependencies, and your contractual obligations to clients and insurers.
Discover might mean a CREST-accredited penetration test of your perimeter and design environment, an OSINT review of what attackers can already see about your business, a configuration review of your cloud and site systems, or a phishing simulation through our D2Aware portal to test how your people respond under pressure.
Remediate might mean tightening cloud configurations, hardening identity controls, fixing the high-impact vulnerabilities first, training the teams that need it most, and giving leadership the evidence to take to the client, the board and the insurer.
Confirm is where we stay alongside you while the changes bed in, checking remediation is on track, verifying it’s having the effect we expected, and surfacing knock-on impacts in other parts of the business before they become a problem.
Continue is the part most providers skip. Our CREST-accredited SOC provides 24/7 monitoring and response, while CyberAscend gives the leadership team a structured way to keep evolving the security posture as the business, the technology and the threats change.
This is the difference between “we bought some cyber” and “we have a cyber capability.” One is a cost. The other is a competitive advantage.
The Question for Construction Leaders
Here is the question I’d encourage every COO, CIO and Operations Director in construction to ask themselves this week:
If a cyber incident took one of our active sites offline tomorrow morning, do we know clearly, calmly and confidently, what would happen in the next four hours, the next four days, and the next four weeks?
If the answer is yes, brilliant, keep going. If the answer is “sort of,” or “I’d have to ask IT,” that is a delivery risk hiding in plain sight. And in this sector, delivery risk is the only kind of risk that really matters.
What’s Next in This Series?
Over the next few weeks I’ll be walking through each stage of CyberAscend in detail, what it actually means in a construction context, what good looks like, and the specific moves that take you from reactive to resilient.
Â
Next up: the Initiate stage, why so many cyber programmes in construction fail before they start, and what to do differently. Come back later this week to read the next blog in the series.
Want a head start?
If you’d like to see what your current cyber posture looks like through a construction-delivery lens, get in touch. We’ll run a no-obligation CyberAscend Initiate conversation with you and your leadership team, and you’ll come out of it with a clearer view of your risk, your readiness, and your next three moves.