Insider risks and insecure Internet of Things (IoT) in construction
Cyber security in the construction sector is more than just an IT concern, as not all threats come from outside a business’s firewall. Here, we focus on the human element and the use of new operational technologies, namely, insider risks and the internet of things (IoT).
We look at the impact these threats can have when not guarded against and the preventative actions that significantly reduce the likelihood.
Insider threats: risks that begin from within
Insider threats come in two main forms: malicious insiders (such as disgruntled employees or contractors) and accidental insiders (who cause harm unintentionally, often through negligence). In construction, where teams are large, dispersed and often include temporary or third-party workers, insider risks can be especially difficult to spot.
A dismissed contracts administrator at a specialist subcontractor retained access to a shared Dropbox folder used across a major development project. They downloaded sensitive supplier pricing data and shared it with a competitor bidding for future phases of the same build. The breach came to light only when the competitor referenced confidential figures in a tender submission.
The fallout was significant: the firm lost its place on the framework agreement and legal costs mounted as the client sought compensation. An internal audit revealed multiple shared credentials and no formal offboarding process.
Insider threats: security from within
By building a culture of accountability, construction firms can significantly reduce the risk of harmful or careless insider actions. To reduce the likelihood and impact of insider threats, firms should establish both cultural and technical safeguards, such as:
- Access control and least privilege so users only have access to systems and files they need to perform their job.
- Joiners, movers and leavers process to ensure all access is revoked on an employee’s final working day.
- User activity monitoring that flag unusual behaviours.
Unsecured IoT devices: vulnerabilities on the ground
Construction sites rely on IoT devices – connected equipment like GPS-tagged machinery, smart cameras, drones, sensors and wearable tech. However, these tools often come with poor default security, outdated firmware or no encryption, making them attractive targets for hackers.
A major civil engineering firm experienced a security breach involving GPS tracking data for IoT-enabled excavation equipment. Attackers exploited weak authentication settings on the connected tracking system and manipulated location data, masking the movement of high-value machinery. Two pieces of equipment, worth over £500,000, were later stolen and never recovered. The subsequent investigation found that the system’s default login credentials had never been changed, and the tracking platform lacked basic encryption.
Beyond the financial loss, the incident caused safety concerns on-site and forced a pause on works while a review of all connected devices and systems was carried out.
Securing IoT devices
IoT tools bring major benefits to construction but they must have security baked in from day one. To reduce the likelihood of theft, disruption and even safety incidents, construction firms should implement core IoT security practices as standard, for example:
- Change default passwords from factory settings that are easy to guess or publicly known.
- Use network segmentation so that if one device is compromised, the attacker can’t access broader data.
- Update firmware and security settings to fix vulnerabilities that could be exploited remotely.
Help from the experts
The human risk element of cyber vulnerability can be mitigated by using a combination of practical policies, user-friendly tools and simple cultural changes. With complex supply chains, distributed workforces and increasing digital reliance, construction firms must take a proactive, industry-specific approach to managing cyber risk.
To review your construction firm’s cyber maturity or build a roadmap for better digital resilience, contact our cyber experts for tailored advice.
