What You Don’t Know About Your Cyber Risk Is Already Costing You – Part 3

/ Blog, Construction
4 mins read

In part three of our six-part series around the cyber security issues facing the construction industry, our Head of Customer Success, Chris Yates, now explains that what you don’t know about your cyber risk is already costing you…

CY: In Part 2, I explained that most cyber programmes in construction fail before they even start, because the first conversation is wrong. Get Initiate right and you’ve agreed what “good” looks like.

Now comes the harder bit. Where are you today, really? Not the version you give the client. Not the version on the policy document. The honest version.

That’s the Discover stage of CyberAscend. And in my experience, it’s the moment that surprises construction leaders the most.

Why “We’ve Got IT Covered” Almost Always Hides Risk

Most construction businesses I speak to are confident their IT is in reasonable shape. Patches are running. There’s antivirus. There’s a firewall. There’s an IT provider. So, they assume cyber risk is low.

Then we run Discover. And the picture is almost always different from what leadership thinks. Not because anyone has done a bad job, but because no one has had a complete view.

The Discover stage is where we deliberately go looking. We assess your people, your processes and your technology with one objective: give leadership a clear, honest, evidence-based view of where the business actually stands.

Not a 200-page report nobody reads. A picture you can act on.

What Discover Actually Covers in a Construction Business

Depending on scope and priorities, Discover typically blends several activities, chosen against the outcomes you agreed in Initiate. For a construction business that often includes:

  • CREST-accredited penetration testing – independent, evidence-led testing of how an attacker could realistically get into your perimeter, your internal network, your cloud environment, your design and BIM systems, your applications and your remote access.
  • Configuration reviews – a structured look at how your cloud platforms, networks and devices are configured against security best practice. This is where the quiet risk lives: insecure defaults, overly permissive settings, legacy configurations that everyone assumed someone else had hardened.
  • Vulnerability management baselining – visibility of known weaknesses across your estate, correlated with how critical each asset actually is to delivery. Not a list of 4,000 CVEs. A prioritised view of what actually matters.
  • Social engineering testing through our D2Aware portal – realistic, controlled phishing and vishing campaigns that show how your people actually respond under pressure. Almost every construction breach we see starts with a human, not a firewall.
  • OSINT review – what an attacker can already learn about your business, your key people and your projects from publicly available sources, before they ever touch a system. This is often the most uncomfortable part of Discover, and the most useful.

The Blind Spots We Find Again and Again

Five patterns come up in construction businesses more often than any others:

  • Site systems and OT no one is monitoring. Temporary site networks, IoT devices, plant connected back to head office. Spun up quickly, often left to run.
  • Supplier and JV partner access nobody can map. Accounts and connections that should have been closed months ago, still active, still trusted.
  • Design and BIM environments treated as productivity tools, not crown jewels. The intellectual property and the project data that would do most damage if exposed is often the least protected.
  • Cloud configurations drifting away from secure defaults. Microsoft 365 and Azure tenants set up well years ago, then quietly relaxed for convenience.
  • Credentials leaked in past breaches still being reused. OSINT routinely surfaces email and password combinations that work today, on accounts staff have forgotten they ever created.

The shift that matters in Discover:

Stop relying on assurance from people who built and run the systems. Bring in independent eyes, scoped to the outcomes you agreed in Initiate, and accept that what they find is a gift, not a criticism.

A Question for Construction Leaders

If I asked you today which of your sites, systems or suppliers represents the single greatest cyber risk to your delivery programme, could you answer with evidence or only with an opinion?

What’s Next in This Series?

Discover gives you the picture. It doesn’t, on its own, change anything. The next stage, Remediate is where the work shifts from understanding risk to actually reducing it, without grinding your projects to a halt.

 

In the next post in this series, I’ll cover how we approach Remediate in a construction context, why blanket “fix everything” programmes fail, and how to prioritise the moves that genuinely protect your delivery. Look out for it later in the series.

Want a head start?

If you’d like to see what your current cyber posture looks like through a construction-delivery lens, get in touch. We’ll run a no-obligation CyberAscend Initiate conversation with you and your leadership team, and you’ll come out of it with a clearer view of your risk, your readiness, and your next three moves.

Further Reading