Search
Close this search box.
Search
Close this search box.

Cybercrime report

Introduction

Cybercrime is a growing concern for the construction sector in the Middle east.

Amidst the rise of cybercrimes and cyberattacks, it has become paramount for companies across the globe to prioritise the  establishment of strong cybersecurity measures.

Freshfields Bruckhaus Deringer, Accuracy, and New York University Abu Dhabi (NYUAD) collaborated to carry out a compre-  hensive survey within the Middle East region’s construction sector (the Survey). The purpose of the Survey was to evaluate  the risks construction project participants face in relation to cybercrimes and gauge their level of preparedness.

This report examines the common cybercrime and cybersecurity practices in the Middle East construction sector using the  results from the Survey. In addition to this introductory section, the report is structured as follows:

  • Section II sets out the executive summary.
  • Section III sets out the key findings from the Survey, including highlighting risks that make the sector more vulnerable.
  • Section IV sets out our recommendations on best cybersecurity practices, including mitigation strategies, for the construc-  tion sector based on the data and findings gathered from the Survey.
  • Section V explains the methodology adopted to gather and analyse the Survey data.
  • Section VI provides our conclusion and key takeaway points from the Survey findings.

The Construction Industry Is Vulnerable to Cyber Attacks

Around the world, the construction sector has been hit hard by the rise of cybercrime in recent years. To take one exam-  ple, Dutch construction company Royal Bam Group fell victim to cyberattacks in 2020 when cyber criminals encrypted the  company’s data, preventing access to it. The company had to take a number of its systems offline in order to neutralise the  attack. 1 Indeed, the increasing digitalisation of construction processes has given cybercriminals new opportunities to target  construction project participants, who now hold increasingly large amounts of sensitive data in online repositories. Despite  increasing reliance on digital processes, cybersecurity awareness within the sector remains relatively low. This vulnerability  is evident from a 2021 survey, which highlighted the sector’s susceptibility to cyberattacks and the elevated success rates  for such attacks.

At the same time, cybersecurity has not gained much attention from construction researchers, as demonstrated in an aca-  demic study. 3 The Survey’s findings shed light on the scale and scope of the issue and highlight the urgent need for con-  struction project participants to take cybersecurity seriously.

Why Should Companies Care about Cyber Incidents Targeting the Construction Sector in  the Middle East

While companies in all industries are susceptible to cyberattacks, the somewhat unique aspects of the construction sec-  tor’s complexity of projects, layers of stakeholder involvement, emphasis on time efficiency, and heavy reliance on sensitive  personal and business data can make the impact of cyberattacks on construction sector companies particularly harmful.  Companies in the Middle East are at even greater risk, given the close relationship they may have with government entities  on projects or the increasing rate of growth in the area, which is not always accompanied by a proportionate investment in  cybersecurity. In particular, we note:

  • Construction projects require time efficiency. Time is money on a construction project, with the risk of delays contrac-  tually allocated within the supply chain. Therefore, a cyberattack that imperils the diligent progress of a project can have  significant ramifications.
  • Construction projects rely on sensitive data. Plans and designs used for construction can provide information regard-  ing access points and weaknesses in security for the finished structure. That is sensitive data, particularly during the  operations phase of the project (for example, if special airport systems could be accessed during operations because of  unknown hacks during the design and construction phase).
  • Construction projects have complex supply chains. There can be very lengthy supply chains on construction projects,  with even the lowest level of the supply chain having access to plans, designs, and other sensitive data. To protect the  project’s data, every layer of the supply chain needs to be focused on cyber security, but smaller entities at the bottom of  the supply chain will not have the same ability to invest in cyber security.
  • Political sensitivity is greater in the Middle East. Many construction projects in the Middle East are financed by govern-  ment or private entities in which the state has invested (or owns). That can create a political dimension to (a) the need for  cybersecurity (in addition to data protection laws, there may be a licensing regime pertaining to data relating to a project  procured by government – e.g., DESC in Dubai) and (b) the motivation for cyberattacks.
  • There is increasing technological reliance in the Middle East. Historically, technology adoption on construction pro-  jects in the Middle East has been slow, but it is now ramping up. In particular, a 2022 PwC Middle East Capital Projects  and Infrastructure Survey identified that technology adoption in the construction sector has surpassed 50% for the first  time. 4 If technology is not adopted in concert with suitable cybersecurity measures, the construction sector in the Middle  East will continue to face problems.

Key Areas of Concern: Theft of Sensitive Data and Ransomware Attacks

One of the most common forms of cybercrime in the construction sector is the theft of sensitive data, which can be used  for purposes of ransomware, identity theft, access to trade secrets, etc. Stolen data can include plans, designs, project  management information, and personal and financial data. This data loss can have financial implications, put projects at risk,  and harm the company’s reputation.

Another primary concern is the threat of ransomware attacks. A study by Nordlocker showed that construction had been  the most targeted sector by ransomware attacks in 2022. 5 In these attacks, cybercriminals encrypt a company’s data and  demand payment in exchange for the decryption key. The construction sector is particularly vulnerable to such threats due  to the intricate data landscape tied to construction projects, which often holds significance for project success.

Quantifying Cyber Incidents Is Difficult Because Many Incidents Are Unreported

Accurately gauging the prevalence of cyberattacks within the sector poses a challenge, given that many incidents go unre-  ported despite the existence of data protection legislation mandating data breach reports in certain circumstances. The  frequency and severity of attacks can vary widely depending on the industry and global region.

However, there is no doubt that cyberattacks have become a significant problem for businesses across all sectors and one  that is growing. In recent years, there have been high-profile attacks on companies in industries such as healthcare, finance,  retail, technology, and construction. For instance, in 2019, a Canadian construction company fell victim to a severe ransom-  ware attack, during which the attackers demanded a ransom of USD 6.5 million to release 60GB of crucial data. 6 Similarly,  in 2020, a French construction company experienced a cyberattack that resulted in malicious actors gaining control of over  200GB of sensitive data and demanding a ransom of USD 11 million. As a precautionary measure, the company had to  temporarily shut down multiple operational systems, leading to significant project delays. 7

According to a report by Cybersecurity Ventures, the global cost of cybercrime is projected to reach USD 10.5 trillion by  2025. The report also estimates that a new cyberattack occurs every 11 seconds, with attacks increasing rapidly. 8

Another report by the Ponemon Institute found that the average cost of a data breach in the United States was USD 9.05  million in 2021. The report also found that the average time to identify and contain a breach was 287 days. 9

In summary, cyberattacks present a significant and growing threat to businesses in all sectors across the globe, including in  the construction sector in the Middle East. The financial and reputational costs of such attacks can be substantial. Project  participants must therefore invest in robust cybersecurity measures and stay vigilant against emerging threats.

Executive summary

The Survey set out to identify the cybercrime prevention practices and cybersecurity risks in the Middle East construction  sector. Conducted among respondents occupying senior roles primarily in large companies across the Middle East region,  the Survey highlighted a concerning reality: even sizable companies lack the necessary readiness to effectively fend off  significant cybercrimes. Incidents of phishing scams, ransomware attacks, and data breaches had already affected the sur-  veyed companies. Recent media coverage has further emphasised the substantial losses that could stem from cyberattacks  targeting the construction sector.

The Survey findings indicate that even large companies with resources at their disposal feel that they are not adequately  prepared to address or prevent cyber incidents, and many indicated that they do not have sufficient measures in place to  mitigate cyber risk. Tackling and averting these threats demands concerted action. Companies must shield their networks,  devices, and data through concentrated efforts in employee training, policy implementation, and adequate investment in  cybersecurity technology.

Indeed, to protect against cybercrime, construction project participants need to implement robust cybersecurity measures.  This includes educating employees on cybersecurity best practices, using strong passwords and two-factor authentication,  and regularly backing up data. Collaborating with cybersecurity experts is equally pivotal, enabling companies to identify  vulnerabilities and enact appropriate security measures. These measures are particularly important for companies in the  construction sector in the Middle East, given the complexity of construction projects and increased sensitivities of their data,  supply chains, and stakeholders. Increased reliance on technology in the construction sector in the region makes the need  for robust cybersecurity measures even more critical.

Findings

Demographics of Survey Respondents
Country Distribution

The Survey was conducted across multiple countries in the  Middle East and some countries outside the region. In the  Middle East, responses were received from companies in  the United Arab Emirates, Saudi Arabia, Qatar, Jordan, Egypt,  Oman, Bahrain, and Iraq. See Figure 1 for the distribution of  the respondents’ countries.

Figure 1 Distribution of the survey respondents’  countries

Demographics of Survey Respondents
Company Size

The Survey respondents were from a broad spectrum of  company sizes, ranging from micro businesses to large  enterprises. Most respondents (70%) represented com-  panies with over 250 employees (Large Companies). By  contrast, approximately 17% represented companies with  50–249 employees (Medium Companies), 8% represented  companies with fewer than ten employees (Micro Compa-  nies), and 5% represented companies with 10–49 employ-  ees (Small Companies) as shown in Figure 2.

Figure 2 Distribution of the survey respondents’  company sizes

Demographics of Survey Respondents
Seniority

The Survey collected responses from individuals of varying  seniority levels within their company: senior management  represented 34%; manager or advisor level respondents,  approximately 27%; and non- managerial senior employees,  25%. The remaining 14% of respondents were high-level sen-  ior management, entry-level employees, or others. Figure 3  shows the distribution of survey respondents’ seniorities.

Figure 3 Distribution of the survey respondents’  seniorities

Demographics of Survey Respondents
Scope of Companies

The Survey collected responses from various project par-  ticipants involved in the construction sector, including pro-  ject managers, contractors, owners, suppliers, architects,  and designers. Most respondents (20%) represented project  management, while approximately 25% represented con-  tractors and sub-contractors. The remaining respondents  represented roles such as owners, partners, stakeholders,  engineers, designers, and architects, as seen in Figure 4.

Figure 4 Distribution of the survey respondents’  company scopes

The Construction sector is particularly vulnerable to cyberattacks

The construction sector has long been recognised as traditional, implementing technology more slowly than many others. In  a 2016 report by McKinsey, it was listed as the second least digitalised industry after agriculture and hunting. 10

However, the sector’s gradual integration of technology, coupled with its insufficient cybersecurity safeguards, has rendered  it an increasingly attractive target for cybercriminals. The Survey results highlight the alarming prevalence of cybercrime and  cyberattacks within the sector and underline the need for project participants to prioritise cybersecurity.

  • Types of Cyberattacks  in Construction :The Survey results indicate that the types of cyberattacks on the increase in the construction  sector are phishing scams, ransomware attacks, and data breaches. The escalation of these  attacks is largely attributed to the impact of COVID-19. These attacks can lead to the loss of  sensitive information, financial losses, and disruptions to the construction process, resulting in  delays and additional costs.The Verizon 2020 Data Breach Investigations Report pinpoints social engineering schemes 11  as one of the leading cyber threats faced by the construction industry. It involves cyberattack-  ers impersonating senior management and key vendors through business email compromise  (BEC) tactics. Their goal is to convince victims to transfer funds or provide sensitive information  that can be exploited for financial gain. 12
  • Lack of Preparedness :The Survey results also reveal that the lack of preparedness is not limited to smaller project  participants. Large project participants with substantial resources are often unprepared to  tackle cyber threats, with many lacking the necessary cybersecurity measures and resources  to protect themselves from potential cyberattacks. The previously mentioned 2021 academic  survey 13 found that only 39% of construction sector companies had a cybersecurity plan, high-  lighting the need for the construction sector to place an increased emphasis on cybersecurity.The Survey found that a significant proportion of respondents expressed concern about  cybersecurity in the construction sector. Specifically, 34% of respondents were significantly  concerned about cybersecurity, while 41% were somewhat concerned. These figures under-  line that the majority view cybersecurity as an imperative matter demanding attention or per-  ceive their construction businesses as inadequately equipped to handle it.A key obstacle to preparedness is awareness and knowing how to navigate risks. When  asked about their employer’s understanding of cybersecurity, 34% of respondents to the  Survey reported being very well aware of cybersecurity, while 41% had some knowledge  about it. This suggests that many construction business owners recognise the importance of  cybersecurity but may benefit from additional support to develop their understanding further.The Survey also revealed that only 24% of respondents reported a significant investment  in cybersecurity, and only 27% stated their investment was sufficient. As many as 27% of  respondents said that their investment in cybersecurity was insufficient, indicating a need for  more resources dedicated to cybersecurity within the construction sector
    When asked if their employer periodically conducts cybersecurity risk assessments, the  responses were more evenly spread: 37% of respondents said ‘yes’, indicating that their  employer takes cybersecurity seriously and takes steps to assess potential risks; 31% of  respondents said ‘no’, indicating that their employer does not conduct cybersecurity risk  assessments; and 32% did not know or were not sure, highlighting a potential gap in cyber-  security knowledge within the construction sector.

    With cybercrime on the rise, construction companies must prioritise cybersecurity education,  resources, and policy implementation to protect their networks, devices, and sensitive data  from cyber threats. By adopting a comprehensive set of security measures and working with  cybersecurity experts, project participants can mitigate the risk of cyberattacks and protect  themselves and their business partners from potential harm.

Investing in Cybersecurity

The impact of cybercrime on the construction sector has become a growing concern due to the shift towards digitalisation  and remote work. The results of the Survey provide insights into the perceptions of construction sector professionals on the  impact of various factors on cybercrime, including human intervention, cybersecurity regulations, national jurisdictions, inves-  tigative capabilities, and company financials. Additionally, in this section, we examine the extent to which project participants  have policies and procedures in place for addressing cybercrime.

  • Human Intervention  Plays a Key Role in Cybercrime :
    Human intervention plays a crucial role in both perpetuating and preventing cybercrime. As  technology advances, the actions, behaviours, and attitudes of individuals towards technol-  ogy significantly affect their vulnerability to cybercrime. Most cyberattacks, such as weak  passwords, social engineering, or phishing scams, exploit human error or negligence.According to a 2022 report prepared by Verizon, human factors played a significant role in  82% of approximately 2,250 global data breach incidents. 14 This emphasises the decisive  influence of human engagement in cybercrime. The same report further highlights that attack-  ers primarily breach security defences by employing malware and capitalising on stolen cre-  dentials. This pattern of human-centric cyberattacks is just as prevalent in the EMEA region– where stolen credentials accounted for over 65% of the avenues through which attackers  gained unauthorised access – as it is globally. 15The majority of respondents to the Survey (76%) believe that human intervention has a critical  impact on cybercrime. This further underlines the importance of employee training and edu-  cation in preventing cyberattacks, ultimately reducing the risk of cyberattacks, as employees  are often the first line of defence against cybercrime.
  • Cyber  Regulations  and Company Policies  and Culture Work  Together to Create Effective Cybersecurity  Environments :Regulations in tandem with company prioritisation of cybersecurity are key to combatting  cybercrimes. When asked about the impact of cybersecurity regulations on cybercrime, 37%  of respondents said it has a significant effect, while 52% said it has a slight impact. When  asked about the broader regulatory and socio-cultural context, 35% of respondents said the  location where you do business can significantly influence cybercrime, while 46% said it has  a slight effect.These findings advocate for a comprehensive approach in which companies wield a pivotal  role in cultivating a climate that champions effective cybersecurity regulations. This concerted  effort is crucial in preventing and combatting cybercrimes, further emphasising the role of  organisations in shaping a protective cybersecurity culture.
  • Committing Financial  Resources and Taking  Investigative Steps Are  Key to Preventing and  Detecting Cyberattacks :The Survey findings suggest that financial resources and investigative capabilities are essen-  tial in preventing and detecting cyberattacks. More than half of respondents (57%) believe  that investigative capabilities have a significant impact on cybercrime, while 26% said it has a  slight impact. Additionally, 52% of respondents said that a company’s financial investment in  cybersecurity significantly affects cybercrime, and 39% said it had a slight effect. 
  • Policies and Procedures  Related to Dealing with  Cybercrime :
    In response to questions about policies and procedures concerning cybercrime, 48% of  respondents confirmed having such measures in place. This indicates that the majority of  surveyed project participants are actively equipped with policies to safeguard against cyber  threats. However, 22% of respondents said ‘no’, suggesting a potential oversight of this facet  of cybersecurity in certain companies. Meanwhile, 30% of respondents did not know or were  unsure, highlighting the need for increased awareness and education about cybercrime pre-  vention and response.

Cybercrime and COVID-19

The COVID-19 pandemic caused significant disruption across various sectors, including construction. The transformation  towards remote work and amplified dependence on technology spurred the rise of cybercrime as a pressing concern. 16

  • Impact of COVID- 19 on Crime in the Construction Sector :
    In the Middle East, COVID-19 had a recognised impact on cybercrime incidence. When asked  about the impact of the pandemic on crime in the construction sector, the responses were  as follows:

    • 29% of respondents reported a significant increase in crime.
    • 31% of respondents reported a slight increase in crime.
    • 23% of respondents reported that crime remained about the same.

    Yet, only 13% of respondents reported that their businesses significantly changed existing  cybercrime prevention measures because of COVID-19; 25% said no changes were made  at all.

     

  • Impact of COVID-19 on  Business Vulnerability  to Cybercrime :The pandemic also had a significant impact on the vulnerability of construction businesses to  cybercrime. When asked about the effect of COVID-19 on their business’s exposure to cyber-  crime, the respondents answered as follows:
    • 15% reported a significant increase in vulnerability.
    • 67% reported a slight increase in vulnerability.
  • Types of Cybercrime Experienced or Observed :
    The Survey also asked respondents about the types of cybercrime they experienced or  observed from the start of the pandemic. The results were as follows:

    • 73% of respondents reported a significant or slight increase in phishing and social engi-  neering attacks.
    • 25% of respondents reported no change in malware and virus dissemination, 23% reported  a significant increase, and 35% reported a slight increase.
    • No respondents saw any decrease in denial-of- service attacks, business email compro-  mises, social media hacks and spamming, electronic money fraud, sales fraud, identity  theft, and credit card fraud.

    The Survey findings indicate that the COVID-19 pandemic had a notable impact on cybercrime  in the construction sector, with a significant number of respondents reporting an increase in  cyberattacks. They also suggest that businesses became more vulnerable to cyberattacks  during this period, with the prevalence of phishing and social engineering attacks standing out  as the most commonly experienced or observed cybercrimes.

Recommendation

The first line of defence against any cyber threat, including in the Middle East construction sector, is increasing perception  and awareness from the top: ‘prevention is better than cure’. Most companies could improve value and security by adopting  a proactive approach from upper management to tackle cybercrime-related risks.

Such an approach towards cybercrime risk management typically requires a cultural shift – this starts with board-level exec-  utives who can incorporate cybercrime-related risk into their enterprise risk strategy. In doing so, leaders can quickly identify  gaps and steer the organsiation towards a holistic approach in countering cyber threats.

Further, companies should focus on building a sustainable and multi-tiered approach to risk management rather than the  piecemeal approach often taken today. A sustainable process starts with a risk assessment. A suggested framework for  conducting such an assessment is outlined in Figure 5 and Figure 6.

Figure 5  The suggested risk assessment framework (functions)

Figure 6 The suggested risk assessment framework (categories)

Several cybercrime deterrents are commonly utilised to prevent and alleviate the harm caused by cybercrime. Moreover, various post-breach measures can be implemented to manage and curtail the consequences of a cyberattack or data breach. These include, but are not limited to:

  • Technical ControlsThese measures are designed to prevent unauthorised access to computer systems, net-  works, and data. Technical controls include firewalls, intrusion detection and prevention systems, anti-virus software, encryption, and access controls. In the event of a cyberattack or data breach, companies must first seek to contain the breach  and limit further damage by working with legal counsel and the IT team on a plan to isolate  affected systems and devices and update security measures and protocols.
  • Policies, Procedures, Processes, and Best PracticesPolicies and procedures are put in place to govern the use of computer systems and data.  These may include acceptable use policies, password policies, data backup and recovery  policies, and incident response plans. Legal counsel can assist companies with developing plans to address vulnerabilities in pro-  cesses and corporate policies, which may contribute to a breach, and assist with updating  policies and procedures. Legal counsel may also recommend that a company subject to a breach conduct an internal  investigation to identify the cause, extent, and impact of the breach.
  • Training and AwarenessEmployees and users of computer systems need to be trained in recognising and avoiding cyber threats. Training can include security awareness training, phishing simulations, and regular reminders of best practices.
  • Legal and Regulatory  ControlsLaws and regulations can provide a framework for cybercrime deterrence. These may include  data protection laws, data breach notification requirements, cybercrime laws providing criminal  penalties for cybercriminals, and licensing requirements for dealing with data on government-  procured projects.In the event of a cyberattack or data breach, a company may need to take measures to  comply with regulatory requirements or respond to regulatory inquiries (among other actions).  Once data breaches occur, legal counsel can be effective in advising on requirements to  notify regulatory agencies and affected individuals in accordance with data protection laws.
  • Collaboration and Information SharingCollaboration between organisations, government agencies, and law enforcement can help  to identify and respond to cyber threats more effectively. This can include sharing threat intel-  ligence, best practices, and resources.Overall, an effective cybercrime deterrent strategy should be comprehensive and include a  combination of technical controls, policies and procedures, training and awareness, legal and  regulatory controls, and collaboration and information sharing.
  • Investing in  Cybersecurity MeasuresTo address the issue of cybercrime in the construction sector, project participants must prioritise cybersecurity. They must invest in the necessary measures to protect their assets and  operational integrity. This comprehensive effort encompasses the adoption of a multi-faceted  cybersecurity strategy that covers employee training, leverages technology, and enforces  effective policies.Collaborating with cybersecurity and cybercrime experts can help project participants stay  attuned to the evolving cyber threats landscape. This proactive approach enables them to  implement appropriate countermeasures to mitigate risks. A National Institute of Standards  and Technology report recommends that project participants conduct regular risk assessments, implement security controls, and establish incident response plans to protect against  cyber threats. 17Companies should always seek to invest in their cybersecurity capabilities to ensure they are  sufficiently protected from cyberattacks. However, in the unfortunate event of a breach, having  a well- conceived plan is imperative to navigate the intricate and often stressful aftermath with  precision. 

Recommendation

The methodology for the Survey’s design, deployment, and analysis is summarised in five steps, as shown in the flowchart  in Figure 7. The details of each step are shown below.

Figure 7 Flowchart for the Survey’s methodology

  • Step 1 Determining the scope and target population :The first step of designing a survey is to decide on the scope based on the research ques-  tions to be answered. These questions will also determine the target population since the  focus will indicate who should participate in the survey.In this Survey, the scope encompassed a range of objectives. This entailed the identification  of cyber risks targeting the construction sector, understanding the level of awareness and pre-  paredness of project participants, and assessing the impact of COVID-19 on the prevalence  of cybercrimes. The Survey mainly targeted construction sector professionals predominantly  in the Middle East region to keep the study focused and draw conclusions more accurately.
  • Step 2 Determining the  questions and survey  structure :The second step is to write questions that effectively address the established research inquir-  ies and align with the survey’s defined scope. The questions should be relevant to the target  population since some might be unnecessary in specific geographic areas or professional  roles. The way of distributing the survey, such as via email, an online survey platform, or in  person, should also be decided at this stage since it might affect the type of questions.It was decided that the Survey would be conducted via an online survey platform, Qualtrics, to  reach the maximum number of participants in the target population. It consisted of six sections:(1) Demographics, (2) Organisational and Industry Approach to Technology, (3) Cybersecurity  Awareness, (4) Cybercrime Approach, Policies, and Procedures, (5) Cybercrime and COVID-  19, and (6) Respondent’s Information. The first and the last sections sought insights into each  respondent’s characteristics and that of their employer, such as the size and scope of work  of the respondent’s employer and the respondent’s level of seniority. The second section  included questions to identify the types of technology utilised by the respondents’ companies.  Sections three and four aimed to gauge the cybersecurity awareness of the respondents,  their concerns related to cybercrime, and their employers’ preparedness to combat potential  cyber threats. Finally, the fifth section included questions to measure the impact of COVID-19  on the cybercrime landscape in the construction sector, particularly in the Middle East region.
  • Step 3 Internal checks and  finalising the survey :
    This step aims to perform checks to detect any potential flaws, assess the clarity of the ques-  tions and effectiveness of the survey structure, and optimise the survey length to achieve  the maximum number of complete responses. Since three different organisations conducted  the Survey, each organisation performed the checks and provided feedback from their per-  spectives and using their expertise. The diversity of the scopes of the involved organisations  helped improve the Survey. Once all parties agreed on the Survey layout and questions, it was  finalised to proceed with the following step.
  • Step 4 Deployment and data  collection :This survey step includes distributing the survey questions using the previously decided  method. If the survey is online, the link for the survey should be shared with the relevant  groups of people via social media, email, or other ways of online communication. Response  data should be collected until the agreed cut-off date and stored for analysis at the next stage.  In the case of online surveys, if any patterns show that respondents are leaving the survey  incomplete at certain sections, it might indicate that it is not well designed and needs improve-  ment. The purpose should be to have the maximum number of complete responses without  compromising the cohesiveness and purpose of the survey.This Survey employed the online survey platform Qualtrics. Therefore, the questions were  transferred to Qualtrics in the agreed layout and checked by the involved organisations (Fresh-  fields Bruckhaus Deringer, Accuracy, and NYUAD) before distribution. To protect the privacy  of the respondents, IP addresses, location data, and contact information were anonymised  by default. The respondents provided their contact information, which was kept confidential,  in the last section of the Survey, if they wanted to receive the initial findings. Once the Survey  was finalised, the link was shared with the partner organisations and via social media, such as  LinkedIn. Some entities that received the Survey are the Society of Construction Law (SCL)  Gulf and the Royal Institution of Chartered Surveyors (RICS). The distribution of the Survey  started on 3 October 2022, and it was kept open until 31 December 2022 (90 days). While  187 people began the Survey during this period, 52 completed all sections.
  • Step 5 Analysis and reportingThis is the last stage of a survey process. It includes analysing and interpreting the collected  data and gathering the findings in a report to share them.The responses to the questions were analysed to draw conclusions addressing the purpose  of the Survey. While some findings were as expected, such as the high level of concern  about cybercrime and low level of cybersecurity awareness and preparedness among project  participants, some were unexpected. For example, only 15% of the respondents reported  a significant increase in the vulnerability of their businesses to cybercrime due to the new  working environment after COVID-19. The findings of the Survey, the main conclusions, and  the recommendations to improve the security level of construction project participants are  included in this report.

Conclusion

Our findings from the Survey highlight the vulnerability of construction businesses to cyber threats. Research supports the  notion that cyberattacks are rising globally, and the construction sector is no exception. We do not consider this trend to  be limited to the past. As the industry continues transitioning from paper-based record-keeping to more effective data man-  agement in electronic repositories, we expect a continued increase in cybersecurity threats to the sector. This mirrors the  concerns expressed by 75% of respondents who feel there are cybersecurity issues in the construction sector.

The Survey results indicate that, while some project participants are aware of the importance of cybersecurity, there is a need  for increased investment and education in this area. Only half of the respondents feel that their companies have significant or  sufficient cybersecurity measures in place to protect against cyber threats in an environment where cybercrime targeted at  the sector is rising rapidly. This finding is consistent with other studies, which suggest that many project participants lack the  necessary cybersecurity measures and resources to protect themselves adequately from cyber threats.

Project participants must prioritise cybersecurity education, resources, and policy implementation at all levels of their busi-  ness to address this issue. This need is magnified by the vast quantities of sensitive data that project participants are likely  to hold. This approach aligns with recommendations made by cybersecurity experts, who suggest that project participants  adopt a multi-layered approach to cybersecurity, including employee training, technology, and policy implementation. Addi-  tionally, working with cybersecurity and cybercrime experts can help project participants stay up-to-date on the latest cyber  threats and implement appropriate measures to mitigate risks.

While the Survey primarily focused on insights from senior-level construction sector employees, it is essential to recognise  that there might be variations in cyber awareness and understanding at different levels within a company. For instance, front-  line workers or employees in administrative roles may have limited exposure to cybersecurity training or may not be fully aware  of the potential risks and best practices. By contrast, IT professionals or those directly involved in technology implementation  may have a higher understanding and familiarity with cybersecurity measures than employees in non- technical roles.

To gain a comprehensive understanding of the cybersecurity landscape within the construction sector, future research efforts  could include a more comprehensive sample size, encompassing employees from various levels and departments. This  would help capture a more diverse range of perspectives and potential disparities in awareness, as well as identify gaps in  cybersecurity knowledge.

In summary, the Survey results emphasise the need for project participants to prioritise cybersecurity matters and implement  appropriate measures to protect their networks, devices, and sensitive data from cyber threats. The rise of cybercrime in the  construction sector is a growing concern, and project participants must take proactive steps to safeguard their assets and  reputations. By working with cybercrime and cybersecurity experts and implementing comprehensive security measures,  project participants can mitigate the risk of cyberattacks and protect themselves and their business partners from potential  harm.