Skip to main content

The UK’s National Cyber Security Centre (NCSC) has partnered with the Department for Business, Energy and Industrial Strategy (BEIS) and the Centre for the Protection of National Infrastructure (CPNI) to publish new cybersecurity guidance for construction companies working on major building projects. The NCSC, BEIS and CPNI said the new Information Security Best Practice guide aims to help firms keep sensitive data safe from attackers by offering tailored advice on how to securely handle the data they create, store and share in major infrastructure joint venture projects such as HS2 and Crossrail.

The new guidance is a collaboration between government and industry members of a NCSC-convened trust group. It follows advice released earlier this year by the NCSC and Chartered Institute of Building aimed at helping small- and medium-sized businesses improve their resilience.

Construction industry prime target for cyberattacks

In a blog posting, the NCSC, BEIS and CPNI wrote that by following the recommended steps, construction businesses can improve their cybersecurity and make themselves less attractive targets for malicious actors. “Globally, the construction industry continues to be one of the most targeted sectors by online attackers and businesses of all sizes are at risk,” they added. Furthermore, the new guidance outlines why information security is particularly important for construction joint ventures and offers a recommended approach to manage the risks, including:

  • Establish information security governance and accountability within the joint venture and ensure board-level engagement.
  • Identify staff to hold responsibility for assessing specific information security risks and develop a shared information security strategy.
  • Understand the specific risks and any regulatory requirements for the joint venture and decide on a shared risk appetite.
  • Develop and agree on a shared information security strategy to manage and mitigate the risks holistically, including physical, personnel and cyber risks.

Sarah Lyons, NCSC deputy director for economy and society resilience, commented that joint ventures in construction are responsible for some of the UK’s largest building projects and the data they handle must be protected to keep crucial infrastructure safe. “Failure to protect this information not only impacts individual businesses but can jeopardise national security, so it’s vital joint ventures secure their sites, systems, and data. By following this new guidance – a first-of-its-kind collaboration between industry and government – construction firms can help put a holistic strategy in place to effectively manage their risks.”

Jon Ozanne, CISO at British multinational infrastructure group Balfour Beatty, added that with cyberattacks becoming increasingly more intelligent, cybersecurity has never been more important. “The introduction of the new Information Security Best Practice guide will play a key role in helping to combat the operational risks faced across the sector; raising the standard and educating those to the measures required to protect against cyberthreats.”


All rights reserved Jenson Knight.