Construction Cybersecurity: Unveiling Key Threats and Safeguarding Strategies

CXOToday has engaged in an exclusive interview with Mr. Paul Wallett, Regional Director, Middle East and India, Trimble Solutions.


  1. Why is it important to prioritize cybersecurity in the construction industry?

The construction industry has seen a significant increase in digitization and technology adoption in recent years. The global construction tech management software market is expected to reach $16.6 billion by 2028, with a compound annual growth rate of 16.2%. However, this digital transformation has also brought new vulnerabilities and threats to the industry’s cybersecurity.

The construction industry involves a complex network of stakeholders, including contractors, subcontractors, suppliers, and clients. Each stakeholder may have different cybersecurity practices and vulnerabilities, making the industry particularly susceptible to cyber threats. In fact, according to a study conducted by, construction companies were the third most common type of industry to be targeted by hackers, with more than 13% of the total. And according to the website, in 2020 – 2021 nearly one out of every six construction firms reported a ransomware attack.

Furthermore, the construction industry handles sensitive data, such as project plans, financial information, and client details. This data must be protected from cyber threats to comply with legal and regulatory requirements, such as the European Union’s General Data Protection Regulation (GDPR). Failure to comply with these regulations can result in significant financial penalties and loss of the company’s global revenue.

Prioritizing cybersecurity in the construction industry is crucial to protect against cyber threats, comply with legal requirements, and maintain a competitive advantage. With the rising frequency and cost of cyberattacks in the industry, construction companies that prioritize cybersecurity will be better positioned to succeed in the digital age.


What are the key cybersecurity threats that construction companies should be aware of?

The construction industry has always faced physical threats such as materials theft or vandalism, but with rapid digitalisation and adoption of cloud-based collaboration, it must now increasingly guard itself against cybersecurity risks.

One of the unique challenges in the construction industry is its mobile workforce. Construction sites are often temporary locations, and workers connect to business networks using their own devices, including laptops, tablets, and smartphones. This can lead to lax security practices, especially when workers access sensitive data from their own devices.

Second, the high turnover of personnel and reliance on subcontractors within the construction industry pose additional challenges for cybersecurity. It becomes difficult to provide uniform IT and cybersecurity training to all individuals involved.

Third, the sharing of files and data outside the company poses another cybersecurity risk. Collaboration among professionals from different disciplines and stakeholders often requires the exchange of sensitive information such as blueprints, financial data, and employee records. Building information modeling (BIM) and common data environments (CDEs) create opportunities for data sharing but also represent potential targets for cyberattacks.

Fourth, external malware threats including viruses and worms can cause significant harm to systems and data. Ransomware, a specialized form of malware, encrypts critical systems and demands a ransom for their release. Phishing attacks attempt to extract sensitive information by deceiving individuals through malicious links or attachments. Password attacks target users’ credentials to gain unauthorized access to critical data and systems. Distributed denial of service (DDoS) attacks disrupts networks and systems by overwhelming them with excessive requests.

Awareness of these cybersecurity threats is crucial for construction companies to implement appropriate measures and safeguards.


How can construction managers effectively protect sensitive data as the industry undergoes digital transformation?

As the construction industry undergoes a digital transformation, it is important for their leadership teams to take necessary steps to effectively protect sensitive data. There is a range of strategies construction managers can employ when trying to effectively safeguard sensitive data.

First, construction companies should implement modern device management practices along with fool-proof authentication policies. Additionally, mobile devices used for work should be regularly assessed for vulnerabilities. Also, investing in comprehensive training programs and implementing standardized security measures can help mitigate the risks associated with personnel turnover.

Second, companies must evaluate and embrace robust cybersecurity solutions that encompass both endpoints (mobile devices or computers) as well as networks, email systems, and even cloud-hosted data to detect and deal with external attacks, including malware and ransomware.

Third, companies must ensure that all Wi-Fi networks on construction sites are password-controlled so that onsite workers do not have to rely on external or public networks. Furthermore, implementing stringent permission controls ensures that only authorized individuals can access specific files, data, and network segments.

Fourth, companies should establish comprehensive policies and impart rigorous training to ensure that all personnel within the organization adhere to best security practices. For example, when dealing with clients in the EU, it is imperative to prioritize security measures and ensure compliance with relevant regulations, such as the General Data Protection Regulation (GDPR).

To summarise, construction managers can markedly diminish the vulnerabilities associated with data breaches and cyberattacks by adopting a pragmatic and resolute approach that includes identifying and prioritizing sensitive data, implementing access controls, using encryption, training employees, and implementing incident response plans. By doing so, they can protect their company’s assets, reputation, and clients.


What is Trimble’s approach to ensuring privacy and security in its solutions?

Trimble’s approach to ensuring privacy and security in its solutions is comprehensive and constantly evolving to adapt to changing times. With a strong focus on establishing excellent processes, Trimble has recognized the increasing importance of privacy legislation, such as the EU’s General Data Protection Regulation (GDPR). They have taken proactive steps to comply with these regulations and elevate the handling of personally identifiable information.

To ensure GDPR compliance, Trimble engaged external consultants to assist in the compliance process. They worked together to identify information assets, define company policies, specify storage and access protocols, and establish customer-facing policies for data handling. GDPR compliance involves assigning responsibilities within the organization, designating data custodians, and communicating the appropriate message throughout the company.

Trimble also recognizes the continuous threat of cyber attacks and the need for stricter policies. They have developed the Trimble Secure Development Life Cycle framework, which incorporates widely adopted industry best practices. This framework includes a range of controls spanning 10 main categories, with third-party software and external audits used to analyze and verify the effectiveness of their development processes, policies, and incident responses.

Trimble’s security framework aligns with the globally recognized ISO 27001 certification, validating its adherence to internationally accepted information security management standards. To further reinforce its security measures, Trimble has established top-level teams and committees to oversee security matters throughout the organization. These efforts extend to developing robust disaster recovery plans that encompass potential cybersecurity incidents, ensuring business continuity and minimizing risks. This comprehensive approach ensures business continuity and instils confidence in Trimble’s ability to handle potential risks.


Are all Tekla structure software products compliant with information security standards?

Certainly. Several of Tekla Structural Software’s products, including Tekla Structures, Tekla Model Sharing, Tekla Tedds, Tekla Structural Designer, Tekla PowerFab Go, Tekla PowerFab, and Tekla Online Services, have achieved full compliance with the rigorous ISO/IEC 27001:2013 standard for information security. This esteemed certification is globally recognized as a symbol of excellence, ensuring adherence to a comprehensive set of 114 meticulous security protocols. These protocols encompass the critical aspects of information security, such as robust asset management, stringent access control mechanisms, and secure software development practices.

The ISO/IEC 27001:2013 certification focuses on three fundamental areas: confidentiality, integrity, and availability of information.  By aligning with this prestigious standard, Trimble unequivocally demonstrates its unwavering commitment to upholding the highest levels of information security. The company ensures that only authorized individuals have access to the information, unauthorized modifications are effectively prevented, and the protected data remain available whenever required.

The certification serves as a testament to Trimble’s unyielding commitment to establishing a robust and comprehensive information security management system, fortified by adherence to industry best practices, further solidifying its reputation as a reliable provider of solutions within the construction industry.

Leave a Response