Building Safely in the Age of AI: Cyber Security in UK Construction

• The UK’s National Cyber Security Centre (NCSC) handled a record 204 ‘nationally significant’ cyber incidents in the year to August 2025 – nearly double the previous year – with construction named among the top sectors reporting ransomware activity.
• High-profile attacks on Marks & Spencer, Jaguar Land Rover and the Co-op show that no organisation is immune – and construction’s large contract values, complex subcontractor networks and distributed site workforces make it an attractive target.
• The 2025 Jaguar Land Rover attack alone is estimated to have cost the UK economy £1.9 billion, halting production for around five weeks and rippling through more than 5,000 supply chain businesses.
• AI is beginning to reshape construction through predictive scheduling, automated document management and forecasting, but adoption remains patchy, held back by fragmented data, skills gaps and security concerns.
• Construction firms handle some of the most commercially sensitive data in the business ecosystem, and AI tools that rely on third-party cloud pipelines can expose that data if proper safeguards aren’t in place.
• Employees using public AI tools to process confidential documents, known as ‘Shadow AI’, is an emerging risk, alongside compliance obligations under the UK GDPR and Data Protection Act 2018, enforced by the Information Commissioner’s Office (ICO).
• Best practice means establishing a data governance framework, vetting vendors against ISO 27001 and ISO 42001 standards, enforcing role-based access controls, and choosing construction-specific platforms over generic tools.
• Access Coins Evo is purpose-built for construction and certified to ISO 27001 and ISO 42001, one of very few ERP providers to hold both. Hosted on Microsoft Azure with AES-256 encryption, SOC 1 Type II compliance, and hundreds of annual penetration tests, it delivers enterprise-grade security without compromise.

The UK construction industry is rapidly digitising. Cloud-based project management systems, digital procurement, mobile workforce tools and data-driven forecasting are transforming how projects are planned and delivered.

As these technologies become embedded in daily operations, they also expand the industry’s exposure to cyber risk. 

Construction businesses now manage large volumes of sensitive data, including financial records, contracts, intellectual property and client information, making strong cyber security in construction more important than ever.

At the same time, artificial intelligence (AI) is beginning to reshape the sector, offering capabilities such as predictive scheduling and automated document management.

While the opportunities are significant, they also raise important questions around AI data security and how construction businesses can adopt these tools safely as the industry moves deeper into the age of AI.

The NCSC’s 2025 Annual Review reported a record 204 nationally significant incidents and 18 highly significant incidents in the year to August – nearly double the previous year. Construction was named among the top sectors reporting ransomware activity to the NCSC, alongside manufacturing, IT and the legal sector.

For individual businesses, the cost of an incident can quickly climb into the hundreds of thousands, or in serious cases the tens of millions, of pounds once downtime, forensic investigation, recovery costs, regulatory fines and reputational damage are taken into account. The ICO can impose monetary penalties of up to £17.5 million or 4% of global annual turnover, whichever is higher, for serious breaches of UK GDPR.

Construction may not always appear in the headlines alongside high street retail or automotive manufacturing, but it remains an attractive target. Large contract payments, complex tier 1, 2 and 3 supplier networks, and distributed workforces moving between sites create opportunities for fraud, ransomware and data theft. 

The October 2025 attack on Dodd Group – a UK building services and Ministry of Defence construction contractor with around 1,100 employees – saw the Lynx ransomware gang claim to have exfiltrated approximately 4TB of data, including sensitive material relating to RAF and Royal Navy estate works. It is a stark reminder that the sector is squarely in the crosshairs.

Artificial intelligence has the potential to significantly improve productivity in UK construction, an industry that has historically lagged behind others in digital transformation.

Today, AI is being explored across several areas of project delivery. Algorithms can analyse historical project data to forecast delays, identify cost risks and improve programme scheduling.

AI-driven document management systems can categorise contracts, RFIs and invoices automatically, while predictive analytics can forecast plant and equipment maintenance needs

Despite these possibilities, adoption remains uneven. Many organisations are still experimenting with pilot programmes or proof-of-concept projects rather than rolling out AI at scale.

Several factors contribute to this cautious approach. Fragmented data systems make it harder to build reliable AI models, while skills shortages and change management challenges can also slow adoption.

Uncertainty around the accuracy of AI outputs and the return on investment remains a concern for many leaders.

Another key issue is AI data security. AI tools rely on large volumes of data to operate effectively, and businesses are increasingly aware that poorly governed or protected data can create new vulnerabilities.

UK construction firms handle some of the most commercially sensitive data in the business ecosystem.

Project budgets, tender pricing, subcontractor agreements, payroll records, CIS deductions and client information all move through digital systems during the lifecycle of a project. On government-funded or public sector schemes, that data may also touch frameworks with security obligations of their own.

When AI tools process this information, AI data security becomes a critical issue. Many general-purpose AI platforms process data through third-party cloud services or external pipelines.

If sensitive documents are uploaded without proper safeguards, organisations may lose visibility over where their data is stored or how it is used.

One emerging challenge is ‘shadow AI’. Employees experimenting with publicly available AI tools may unintentionally upload confidential project documents or financial information to save time.

While the intent is usually productivity, the result can expose organisations to serious AI data security concerns – particularly when those tools train on submitted data or store it in jurisdictions with different protection standards.

There are also regulatory considerations. Under the UK GDPR and the Data Protection Act 2018, organisations must take appropriate technical and organisational measures to protect personal data, and notify the ICO of a notifiable breach without undue delay and, where feasible, within 72 hours. 

Construction firms working on central government projects may also be subject to additional requirements such as Cyber Essentials Plus, which is mandatory for many MoD and Crown Commercial Service contracts.

Failing to address these AI data security concerns can lead to contractual disputes, regulatory penalties, reputational damage and costly project disruption – the kind of disruption M&S and JLR are still recovering from.

While the risks are real, they can be managed with the right governance and technology foundations.

Start with a data governance framework

Construction businesses need clear visibility over their data – in particular, what information they hold, where it is stored and who can access it.

Regular data audits can help identify vulnerabilities and ensure sensitive information is properly classified and protected. Aligning to a recognised framework such as the NCSC’s Cyber Assessment Framework (CAF) or Cyber Essentials gives a defensible baseline.

Vet your AI vendors rigorously

Technology partners should meet recognised security standards such as ISO 27001, an international certification that verifies a company has strong systems in place to manage and protect sensitive data.

New frameworks such as ISO 42001, an international standard for the responsible development, management and governance of artificial intelligence systems, are also emerging to guide the oversight of AI. 

Both M&S and JLR were ultimately compromised through the wider technology ecosystem rather than a direct frontal attack – a powerful reminder that vendor due diligence is no longer optional.

Train your people, not just your systems

Access controls are critical. Role-based access systems ensure employees only see the information necessary for their role, reducing the risk of accidental exposure.

Organisations should establish clear internal policies around AI use to prevent shadow AI practices and reduce AI data security concerns. Combined with phishing awareness training – the entry point for many of the recent UK retail attacks – this is one of the highest-return security investments a contractor can make.

Choose industry-specific solutions over generic tools

Construction-specific platforms integrate financial, commercial and project data within a single environment. This reduces the need for multiple external integrations and helps strengthen cyber security in construction by limiting the exposure of sensitive information.

Together, these practices can help UK construction businesses to address AI data security concerns while still benefiting from innovation.

Purpose-built for construction, secured from the ground up

As construction businesses explore the potential of AI, many are looking for solutions that combine advanced capability with enterprise-grade security.

Access Coins Evo has been designed with this balance in mind.

As a construction-specific ERP platform, it integrates financial management, project management, commercial control, procurement and workforce systems into a single environment.

The platform is built to meet rigorous security standards, including ISO 27001 certification for information security management and ISO 42001 certification for the responsible governance of artificial intelligence.
Hosted on Microsoft Azure infrastructure, Access Coins Evo also delivers enterprise-grade reliability with a 99.9% uptime guarantee backed by automated disaster recovery.

AI that works within your security perimeter

Crucially, Access Coins Evo’s AI capabilities operate within the platform’s security framework rather than relying on external tools or disconnected integrations.

This approach allows organisations to benefit from AI-driven insights while maintaining control over their data.

By embedding AI within a secure construction-specific environment, Access Coins Evo enables construction businesses to adopt AI confidently, knowing that sensitive project data remains protected.

Security within Access Coins Evo is implemented across multiple layers, from application-level controls to underlying infrastructure protections.

Application security: controlling who sees what

At the application level, granular role-based access controls ensure users only access the information relevant to their responsibilities.

Additional safeguards such as segregation of duties, single sign-on authentication, and detailed auditing help prevent unauthorised access while maintaining accountability.

Infrastructure security: built on Azure’s enterprise-grade foundation

Infrastructure security is supported through Microsoft Azure’s enterprise-grade environment, including advanced physical data centre protection, encrypted network connections and dedicated virtual networks for each customer environment.

Data is protected using AES-256 encryption, a widely used method that converts information into secure code so it cannot be read without authorised access.

The platform also meets FIPS 140-2 compliance, an internationally recognised security standard that verifies encryption technologies meet strict requirements, helping ensure sensitive data remains protected both in transit and at rest. The platform also incorporates extensive security testing. Hundreds of penetration tests are conducted annually to identify vulnerabilities before they can be exploited, supported by a secure software development lifecycle aligned with recognised industry standards.

Compliance and certifications: meeting the highest standards

• Access Coins Evo is supported by recognised security frameworks including ISO 27001 certification, an international standard showing a company has been independently audited and has strong systems in place to protect sensitive data and manage information security.
• It also holds the ISO 42001 certification for AI governance – the international standard for responsible AI management – making us one of very few construction ERP providers certified at this level.
• Access Coins Evo also complies with SOC 1 Type II – an independent audit that verifies a company’s systems and controls for managing financial data are secure and working effectively over time.

These measures provide a robust foundation for secure digital operations within the Access Coins Evo system.

As AI continues to reshape the construction industry, businesses need technology that supports innovation without compromising security.

Access Coins Evo provides that balance, combining powerful AI capabilities with enterprise-grade data protection designed specifically for construction environments.

By embedding AI within a secure, purpose-built ERP platform, it enables organisations to confidently adopt new technology while safeguarding sensitive project and financial data.

To learn more about how Access Coins Evo can support secure, AI-enabled construction operations, explore the platform or speak with the Access Construction team.