Cyber Security for UK Construction and Trades Businesses
Plain-English security guidance for builders, contractors, and trades — including what larger clients are now requiring.
Cyber security isn't just for office businesses
Many construction and trades businesses assume cyber security isn't relevant to them. That assumption is increasingly wrong — and increasingly expensive.
Builders, contractors, and trades businesses hold personal data (staff and client information), financial data (payment details, invoices), and increasingly use cloud-based project management, accounting, and communication tools that are just as vulnerable as any office system.
What larger clients are now requiring
If you work as a subcontractor or supplier to larger construction companies, developers, or public sector organisations, you may already be seeing security requirements in tender documents and supplier agreements. These typically include:
- Questions about your cyber security practices in pre-qualification questionnaires
- Requirements to evidence security controls before being added to approved supplier lists
- Cyber Essentials certification requirements for contracts involving sensitive data or systems
- Contractual obligations to report any security incidents that could affect the client
The most common threats for construction businesses
Invoice fraud
Attackers impersonate suppliers or subcontractors to redirect payments. Common in construction because of the volume and size of payments involved.
Phishing targeting project managers
Project managers receive high volumes of emails from multiple parties. Targeted phishing emails disguised as supplier communications or site updates are increasingly common.
Ransomware
Construction businesses often have poor backup practices, making them vulnerable to ransomware. Project files, CAD drawings, and financial records are all at risk.
Unsecured mobile devices
Site workers using personal phones or tablets for work — accessing project management apps, emails, and photos — create security risks if those devices aren't properly managed.
Priority actions for construction and trades businesses
- Enable MFA on email and project management tools — the single most effective step
- Verify bank account changes by phone — before paying any invoice where payment details have changed
- Set up regular cloud backups — project files, drawings, and financial records
- Include mobile devices in your security — ensure work apps on phones require a PIN and can be wiped if lost
- Brief staff on phishing — particularly anyone who receives supplier emails or project communications
Our 10-minute security assessment covers all five Cyber Essentials areas and produces a professional report you can share with clients as evidence of your security practices.
Find out where your business stands
Complete our 10-minute plain-English assessment and get a professional security report aligned to Cyber Essentials.
Start Your Free Assessment →£49 for the full report · No account required