How Building Owners Can Guard Against Growing Cyber Risks

3/21/2025

For years, the construction industry has been viewed as something of a dinosaur when it comes to leveraging technology. 

While others used emerging technological capabilities to transform, construction didn’t. It has paid the price in flagging productivity growth (floundering at 1 percent versus other sectors’ growth rate of 2.8 percent over 20 years), and dampened profitability and safety effectiveness. 

That’s been changing fast in recent years. Reliance on technology, data and digital assets is growing fast. Now, the construction industry is experiencing the same pressures that others like finance and healthcare have been grappling with for years: It’s a bigger and more attractive target for cybercriminals. Management must ensure protections are in place. 

In fact, a 2023 Deloitte survey found top-of-mind concerns for senior-level construction managers were cyber risk and data security. Here’s how they should approach an effective risk mitigation strategy. 

Construction’s cyber-vulnerabilities 

Three-quarters of construction firms aren’t ready for a cyber-attack. They have no response plan in place. And they are more at risk than ever: construction/real estate was the most breached sector in the U.S. by bad actors in 2023 who compromised over 1.5 billion records. 

The vulnerability stems not just from increased technology use. The industry is an increasingly complex collaborating network of firms, material suppliers and contractors, with each third-party connection tying into different technologies. It creates integration challenges and more cyber exposures – making it critical to your partners’ vulnerabilities and security measures. 

And finally, construction is a prime target for firms’ storage of massive amounts of sensitive data, from employee social security and health information to proprietary plans, intellectual property and financials/bank accounts. All are lucrative targets for cybercriminals. 

Most common cyber risks 

Cybercriminals are resourceful, always devising new ways to breach a target’s defenses. Three of the construction industry’s most common cyber threats, though, are: 

• Ransomware. Bad actors trick their way into an operating system with phishing emails that seem to be from authentic senders but contain links that, once clicked on, introduce malware into the system. This allows criminals to either steal data directly or encrypt it so that the company can’t access it without paying a ransom. This poses a direct liability to the construction firm, but also to its vendors and clients, and can disrupt work schedules and project deadlines – none of which come without a cost. 
• Data theft. However the data is hacked and used, its theft is a big issue. Beyond ransomware, there’s a big criminal market for sensitive personal data. Medical records are the big prize, selling for $60 on the dark web, while social security numbers go for $15 and credit cards, $3. But other data handled by construction firms is also valued by bad actors, like designs, patents and bid documents. A breach can have legal repercussions and cause reputation harm. 
• Fraudulent funds transfers. The more construction firms depend on internet banking and electronic payments, the more vulnerable they are to funds transfer fraud. And there’s very little recourse for retrieving the stolen money once the transfer is completed. Again, by gaining access to email and operating systems, hackers create fictitious email accounts appearing to be in the names of employers or regular business partners. Ploys take various forms, but often involve new wiring or banking instructions to unsuspecting employees in charge of payments. 

Guarding against cybercriminals 

Awareness of the cyber risks, especially as new ploys emerge, is important for everyone on the team. Putting thorough planning and prevention strategies in place, with responsibilities for managing them assigned to a specific team member, will go a long way to minimize risks and establish a culture of security. Here’s how to proceed: 

• Start with a comprehensive risk assessment to identify and prioritize the company’s specific vulnerabilities and identify best safeguards. 
• Train everyone, given the number of cyber scams that come through unaware employees. Include specifics on protocols for handling confidential information and how to identify cyberthreats. Establish a multi-step process, with training, for confirming changes to vendor and/or client bank routing, as well as a process for reporting questionable cyber activity. 
• Practice good cyber hygiene, starting with multi-factor authentication. This is essential for remote access to emails and the network, along with privileged, system-wide administrator accounts and accessing system backups. Also emphasize strong passwords, regular software updates and firewalls. 
• Be ready for outside exposures as breaches can often stem from lax cybersecurity by third party partners. Use contracts to limit your liability and mandate good security controls.  
• An incident response plan is critical for mobilizing swiftly in the event of a cyber intrusion. This includes lining up experts, from IT forensic professionals to insurance carriers and breach counsel or privacy attorneys. 
• Make sure your cyber insurance policy has the right coverages and limits for your business and industry. This takes an insurance broker well-versed in the construction industry and cyber risks. A cyber policy designed for a hospitality firm won’t serve a contractor’s interests. 

Brian J. Schnese is a Senior Risk Consultant with HUB International’s Risk Services Division and a member of the Division’s Organizational Resilience consulting team. Brian has over 15 years of professional experience in regulatory compliance and managing risk in state and federal government agencies, and in private industry operations including brick and mortar and online retail, supply chain, transportation, healthcare, and the financial industry.