If you don’t truly know what you’ve got, you can’t protect it, writes Dave Adamson of Creative ITC
With the Cyber Security & Resilience Bill progressing through Parliament, organisations are entering a new phase of heightened expectations around visibility, accountability and operational resilience.
In today’s threat landscape, resilience can no longer be reactive. Businesses must evolve beyond traditional recovery measures after a breach to proactively secure environments, protect their data and prepare for regulatory change.
This revised approach echoes earlier regulatory shifts such as the EU GDPR and the EU Data Act, where action was often delayed until disruption or penalties forced change.
Due to their close association with national infrastructure, cyber resilience is now a core business requirement for construction firms in particular, directly linked to revenue, contract eligibility and reputation. Regulatory frameworks have made cyber resilience both mandatory and auditable. If businesses cannot demonstrate control, visibility and security across IT environments, they will struggle to compete. The question now is how to intentionally build resilience that supports long-term performance.
The visibility gap
At the heart of this challenge lies a simple truth: you cannot protect what you don’t know. Many organisations still lack visibility across their full IT estates, including how much data they hold, where it resides and how it moves across systems and supply chains.
Across the sector, digitalisation has often accelerated without proper integration. On average, 57% of industry-specific software platforms used by UK construction firms are not connected, creating fragmented data, duplication and governance blind spots. This undermines continuity, compliance and risk management and makes it difficult to respond effectively to incidents.
At the same time, cloud sprawl, shadow IT and AI-driven vulnerabilities are expanding the attack surface leaving many AEC firms ill-equipped to manage evolving IT environments. Without a clear understanding of infrastructure and data flows, even well-intentioned resilience strategies fall short.
The hidden risk of tacit knowledge
Resilience, however, is not solely about securing systems and data. In construction, critical knowledge often exists in people’s heads rather than in applications or databases. This tacit knowledge – practical judgement, real-world experience and unwritten rules – underpins safe delivery, regulatory compliance and effective risk management.
The industry is facing a double-edged human resources challenge. More than 35% of the UK construction workforce is over 50, and by 2035, over a third are expected to retire, taking decades of expertise with them.
Meanwhile, the well-publicised skills shortage currently amounts to over 140,000 vacancies, intensifying reliance on fewer experienced individuals.
Many are turning to AI to plug these shortfalls, automate and boost productivity. But as the technology is deployed across AEC workflows to support and accelerate decision-making, there is a risk that irreplaceable human expertise will be lost before it’s captured, structured or shared.
AI is only as effective as the data and context on which it is built. Without deliberate knowledge management and robust governance, it can amplify inaccuracies, embed outdated practices and strip away essential human-intelligence nuances.
In many ways, the rapid adoption of AI has delivered the wake-up call that regulation alone has failed to achieve, exposing the gap between what organisations think they know and what they actually understand.
From reactive recovery to proactive cyber resilience
This is why resilience must extend beyond traditional reactive recovery approaches. Organisations need to maintain a clear, comprehensive view of their evolving digital and operational landscape in order to protect it.
Round-the-clock monitoring of the full IT environment stops alerts leading to operational disruption, while keeping on top of patching and access controls limits exposure and prevents unauthorised access. It’s also important to stay informed about the changing threat landscape.
Encouragingly, many large construction organisations now have formal cybersecurity strategies in place. However, governance often lags behind intent. Only 18% have board-level accountability for cybersecurity, meaning resilience remains siloed within IT rather than embedded across the business. Strong governance and building a culture of cybersecurity awareness are essential to ensure policies actually work within real-world workflows, are enforced and regularly reviewed.
The gap is reflected in day-to-day readiness. Fewer than three in 10 UK businesses provide regular cybersecurity training for employees, despite human error remaining the leading cause of breaches.
Defining clear roles and responsibilities across teams creates accountability for enterprise-wide vigilance, while governance makes sure everyone follows correct procedures when it comes to tools, data storage, protection and collaboration.
True resilience requires pre-empting vulnerabilities across the entire human and technology ecosystem – from unmanaged devices and shadow IT to third-party and supply chain risks. Without this level of insight and robust governance, organisations remain exposed, regardless of how advanced their tools or policies may appear on paper.
Turning resilience into advantage
Organisations that invest in secure, compliant IT foundations are better protected and positioned to compete. Well managed, structured data and tacit knowledge improve continuity, compliance and innovation. Firms can respond more decisively to threats, demonstrate accountability to regulators and build trust with clients and partners.
Pre-emptive resilience becomes a differentiator, supporting reliable delivery, protecting margins and reinforcing long-term confidence in an increasingly risk-heavy environment.
Flexible service models also play a critical role, supporting firms with limited resources to move from reactive recovery to proactive resilience. Scalable, agile IT approaches allow organisations to adapt to evolving regulatory requirements while maintaining stability, controlling costs and supporting growth.
The construction firms that succeed will be those that understand resilience starts with in-depth knowledge, both of systems and data, and of the real-world human intelligence that gives them meaning. If you don’t truly know what you’ve got, you can’t protect it, you can’t manage it and you certainly can’t leverage it for growth.
The post Business cyber resilience starts with understanding your data appeared first on Planning, Building & Construction Today.
