The construction industry's growing reliance on technology and remote systems, coupled with alarming cyber security statistics, necessitates a paradigm shift towards ‘zero trust’. Our CEO Tim Mercer, recently explored how this burgeoning access model can help fortify cyber security strategies in the era of digital construction in this article for PBC Today. If you missed the original piece, you can find it here...

The construction industry is undergoing a remarkable technological transformation, underpinned by the adoption of digital tools and remote systems. For the most part, this is a monumental shift. As well as revolutionising efficiency, collaboration, and project management, embracing technology has optimised processes, enhanced communication, and accelerated innovation — propelling the sector toward a future of sustainable growth and competitiveness.

However, with this progress comes an increased vulnerability to cyber threats. And as the construction industry forges ahead, it must not overlook the digital sentinels guarding its progress.

A growing number of personnel — from contractors and subcontractors to architects, engineers, surveyors, and more — have access to shared IT platforms today, heightening the potential for insider breaches. Plus, with all three key stages of construction (design, construction, and handover) involving extensive digital workflows, cyber security risks exist from the tender stage right through to completion, and thereafter. 

A glance at the Department for Culture, Media and Sport (DCMS) Cyber Security Breaches Survey 2023 paints a sobering picture. The construction sector significantly lags behind others in assigning importance to cyber security, with just 21% of firms having a board member overseeing this domain – a mere 1% increase from the previous year. Alarmingly, the industry is also identified as one of the top three least likely to have cyber security rules or active threat identification measures in place.

Software's integral role in the construction process further amplifies the urgency of robust cyber security too. According to Grand View research, the global construction software market was valued at around $9.6 billion (£8.42 billion) in 2021, and is projected to grow at an annual rate of 8.5% from 2022 to 2030. As software usage expands, data harvests increase, subsequently offering more opportunities for cyber attackers.

As such, the need for stringent cyber security has never been more critical. This is where the concept of zero trust comes into play.

The essence of zero trust

Just as the sector’s professionals meticulously inspect every brick and beam, so must they scrutinise every digital entry point into their domain. Zero trust, a paradigm shift from the traditional "trust but verify" approach, dictates that no user or system is inherently trustworthy — assuming that threats can emerge from within and outside the organisation, thereby minimising vulnerabilities.

Part of a multi-layered defence strategy, this framework involves meticulous identity verification, continuous monitoring, and robust encryption. User access privileges should be granted on a need-to-know basis, with rigorous verification processes for each request.

Constructing a resilient cyber security strategy

Establishing a resilient zero trust access strategy can be a daunting task, particularly in the absence of expert guidance. Make one wrong move, and the very digital foundation meant to enhance operations could become a vulnerable gateway for malicious actors seeking to exploit weaknesses.

While each element will differ slightly from one organisation to the next, the following framework outlines a comprehensive roadmap that construction companies can tailor to suit their specific needs:

1. Comprehensive identity verification: The foundation of a zero trust strategy lies in meticulous identity validation. Construction companies must implement multi-factor authentication (MFA) and identity verification protocols for all users seeking access to digital resources. This ensures that only authorised individuals gain entry.

2. Least privilege access: Embracing the principle of least privilege, the strategy should grant users the minimum access necessary for their roles. This prevents over-privileged accounts from becoming potential entry points for cyber attackers, reducing the attack surface and potential damage.

3. Continuous monitoring and behavioural analytics: Real-time monitoring of user behaviour and network activities is integral to detecting anomalies promptly. Behavioural analytics enable the identification of unusual patterns, allowing immediate response to potential threats before they escalate.

4. Micro-segmentation: Segmenting the network into smaller, isolated sections limits lateral movement for attackers. This containment approach isolates potential breaches, preventing unauthorised access to critical assets.

5. Robust encryption: Data encryption, both in transit and at rest, is pivotal to maintaining data integrity and confidentiality. Encryption ensures that even if unauthorised access occurs, the intercepted data remains indecipherable.

6. Zero trust architecture: Implement a comprehensive architecture that enforces zero trust principles across all layers of the IT infrastructure. From endpoints to applications and data repositories, consistency in zero trust application enhances overall security.

7. Continuous training and awareness: Employees play a crucial role in any cybersecurity strategy. Regular training and awareness programmes educate personnel about the zero trust approach, fostering a security-conscious culture.

8. Vendor and third-party management: Extend zero trust principles to third-party vendors, contractors, and partners who interact with the company's digital environment. Rigorous vetting and monitoring ensure that external entities adhere to the same security standards.

As digital tools proliferate and data volumes surge, a proactive cybersecurity strategy is no longer a luxury but a necessity for the UK’s most ambitious construction firms. In a world where innovation knows no bounds, neither should construction firms’ commitment to safeguarding their digital foundations.

Cyber Security Awareness Month may have dominated the headlines in October, but it remains an ongoing priority at Vapour HQ.

And the team is delighted to have secured Cyber Essentials certification – a government-backed scheme that evidences our deeply-engrained commitment to security, and our protection against cyber-attacks.

Independently assessed by the ISAME Consortium – a Cyber Essentials Partner – the accreditation hasn’t just encouraged the Vapour team to review and validate our cyber security protocol. It also now reassures our customers across public and private sectors – ranging from construction to education, and healthcare to professional services – that we take proactive steps to protect our cloud technology infrastructure from risk.

Commenting on the success, Vapour’s head of transformation and operations Carol McGrotty – who led the certification project – said: “A key part of being ‘cyber ready’ is never becoming complacent. It’s a mantra we share with our customers, so it’s important we live and breathe it too – not least because many attacks are a result of fairly unskilled hackers exploiting innocent human error.

“So, while we know we take cyber security extremely seriously throughout the Vapour team, the exercise to achieve certification provided a helpful ‘sense check’ that we’ve got all bases covered. It should also act as a further sign of confidence for our customers – large and small – that when you’re working with us, you’re in safe hands.”

We have received a growing number of enquiries over the past two weeks, from customers concerned about the threat of cyberattacks. And the number of people contacting us in search of guidance is continuing to rise. Our head of transformation and operations – Carol McGrotty – has therefore summarised our advice in this short post. If you wish to discuss this any further, please contact our Service Desk at, and we will do our best to assist.

With Russian military operations currently underway in Ukraine, the question of whether cyber warfare will also be employed remains unanswered.

Vapour is liaising with Tier 1 providers – with no known immediate threat – and shall continue to do so.

There is a heightened sense of concern being felt by many organisations. Our focus is to help clients prepare for potential cyberattacks. For that, we have put together this cyber readiness checklist. While many of these suggestions are standard cyber hygiene protocols and best practices, simple actions can also go a long way towards fighting against cyberthreats.

Key takeaways

Access: Review admin access to Firewalls and Firewall policies to ensure only permitted access has been given and not open to vulnerabilities

Patching: Ensure that all systems are fully patched and updated

Protection Databases: Make sure your security tools have the latest databases

Backup: Create or update offline backups for all critical systems

Phishing: Conduct phishing awareness training and drills

Hunt: Proactively hunt for attackers in your network using the known TTPs of Russian threat actors

Emulate: Test your defences to ensure they can detect the known TTPs of Russian threat actors

Response: Test your incident response against fictitious, real-world scenarios.

We hope you find this helpful, and if you have any queries, please contact our Service Desk at

sign up for latest news
  • This field is for validation purposes and should be left unchanged.