Do construction companies need Cyber Essentials?

Cyber Essentials is increasingly required in construction tenders, particularly for public sector contracts and work with larger main contractors. PAS 91, the pre-qualification standard used across UK construction procurement, includes information security questions that Cyber Essentials certification directly addresses.

What cyber security questions are in PAS 91?

PAS 91 includes questions about information security management, data protection, cyber risk controls, and whether the business has a documented cyber security policy. Cyber Essentials certification provides direct evidence for most of these questions. A virtual CISO can help you prepare the policy documentation and governance evidence.

Why are construction businesses targeted by cyber attacks?

Construction businesses handle high-value transactions approved by email, hold sensitive project data and drawings, and work with complex supply chains. This combination makes them attractive targets for invoice redirection fraud, data theft, and supply-chain attacks. The sector has historically had weaker cyber controls than comparable industries.

What is invoice redirection fraud in construction?

Invoice redirection fraud occurs when an attacker compromises or spoofs a supplier email account and sends a fraudulent payment request with changed bank details. Construction businesses are specifically targeted because of high transaction values and email-based payment approval processes. Basic controls including email authentication and payment verification procedures significantly reduce the risk.

Construction

Cyber Essentials, IT governance
and the questions tenders are asking.

Construction firms are being asked about cyber security in tenders, PAS91 questionnaires, and insurance renewals. Most don't have a clear answer. I can give you one.

Independent IT advisory for construction businesses. No managed services to sell. No products to push. Just the advice and certifications you need to protect the business and keep winning work.

What you are being asked about

Main contractors, public sector clients, and insurers are increasingly asking construction businesses to answer questions about their cyber security before awarding contracts. This started with enterprise and government work. It has moved into mid-market construction.

PAS 91, the pre-qualification standard used across UK construction procurement, now includes specific questions about information security, cyber risk management, and data protection. Businesses that cannot answer those questions clearly are being marked down or excluded.

Cyber insurance underwriters are asking similar questions at renewal. Premiums go up and cover narrows when you cannot demonstrate basic controls.

Cyber Essentials is the baseline. It is what most tender requirements are actually asking for. Getting certified is not complicated. Not having it is becoming a commercial problem.

Tender questionnaires asking for Cyber Essentials certification

Increasingly standard in public sector and larger private sector contracts. Main contractors passing the requirement down the supply chain.

PAS 91 information security questions you cannot answer clearly

PAS 91 includes cyber and data security questions. Vague answers create doubt. Clear answers with evidence create confidence.

Insurance renewal asking about controls you have never heard of

Underwriters want to see MFA, patching processes, backup verification, and access controls. Most IT support companies have not told you this.

A main contractor asking for your cyber security policy

Larger contractors are starting to require documented policies from supply chain partners, particularly for firms with access to project data and drawings.

A payment fraud attempt or near-miss

Construction businesses are specifically targeted for invoice redirection fraud. High transaction values and email-based payment approvals make the sector a target.

Why it matters in construction

Construction businesses are a specific target.

High transaction values, email-based approvals, complex supply chains, and a culture of moving fast create exactly the conditions attackers look for.

Invoice redirection fraud

Attackers compromise a supplier email account or spoof it convincingly. A payment request arrives that looks legitimate. By the time the fraud is identified, the money has gone. Construction businesses lose hundreds of thousands of pounds this way every year.

Project data and drawings

Architectural drawings, structural calculations, contract details, and client information are valuable. Competitors, disgruntled employees, and organised criminal groups all have reasons to want them. Most construction businesses have no systematic way of protecting or auditing access to this data.

Supply chain access

Subcontractors, consultants, and suppliers regularly have access to shared project environments, email threads with sensitive attachments, and financial systems. A compromise in one business can spread to others. Your cyber risk is not just your own systems.

What I help construction businesses with

Practical, independent advice. The certifications you need for tenders. Senior oversight without a full-time hire.

Cyber Essentials and CE Plus

The UK government-backed certification that tenders are asking for. I help you understand what is actually required, close the gaps, and get certified without overcomplicating it. Cyber Essentials Plus is the independently verified version, increasingly required by larger contractors and public sector clients.

Gap assessment against all five controls
Remediation guidance before assessment
Certification project management
Evidence for PAS 91 and tender responses

Virtual CISO for construction

A named senior person responsible for cyber risk at board level. I own the risk decisions, write the policies, report to your board in plain English, and give you someone to call when something goes wrong. Useful for businesses with insurance requirements, larger clients asking for governance evidence, or anyone who wants to get ahead of the problem rather than react to it.

Cyber risk assessment and gap analysis
Policy documentation for tenders and insurance
Board-level reporting
Incident response planning and support

Fractional IT Director

Strategic IT leadership without the full-time cost. I review your current setup, challenge your suppliers, identify where you are wasting money or taking unnecessary risk, and make sure the technology decisions you are making are the right ones for the business. Particularly useful for businesses that have grown past the point where IT support can answer the strategic questions.

IT supplier review and challenge
Cost and contract review
Risk and compliance oversight
Technology roadmap for growth

What good looks like for a construction business

Cyber Essentials certified. Able to answer every PAS 91 information security question with confidence. A written policy that covers data handling, email use, and payment authorisation. Someone who can attend a board meeting and explain what the business is actually exposed to.

Payment controls that mean a spoofed invoice does not result in a six-figure loss. Access controls that mean a subcontractor who finishes a job cannot still access your project files six months later. Backups that have been tested and will actually work when you need them.

None of this requires an enterprise security programme. Most of it is straightforward. What it requires is someone who knows what needs doing and can make sure it gets done.

Virtual CISO service IT Director service

Cyber Essentials certified and able to answer tender questions clearly

Documented policies for data handling, email, and payment authorisation

Board-level understanding of what the business is actually exposed to

Payment controls that protect against invoice redirection fraud

Access controls reviewed and tightened for supply chain partners

Tested backups and a written incident response plan

Insurance renewal with clear answers to underwriter questions

Independent

No products to sell, no managed services to upsell. Paid only for the quality of the advice.

MSc Cyber Security

Postgraduate qualification in cyber security. 25 years of hands-on experience in real businesses.

Plain English

No jargon. No unnecessary complexity. Advice you can act on and explain to your board.

Start with a conversation.

Tell me what tender question or IT challenge you are dealing with. I will tell you what it actually means and what you need to do about it.

30 minutes. No preparation needed.

MSc Cyber Security · 25 Years Experience · Independent

Cyber Essentials, IT governanceand the questions tenders are asking.