IT and Cybersecurity Challenges Facing the Construction Industry

  • Industry trends
  • 10/25/2023
A side view of an young engineer wearing a helmet and using a laptop and hands free device to discuss a prolem with collegues during his night shirt in the oil rafinery.

Key insights

  • You might be surprised to learn the construction industry is at the highest risk of being targeted by ransomware attacks.
  • Common types of cyberattacks in construction include installing ransomware, data theft, and fraudulent wire transfer.
  • Construction companies should consider training, restricting access, and data security to reduce the risks of cyberattacks.
  • Risk planning is the first step in risk reduction and construction companies would be well served in creating a cybersecurity plan.

Looking to improve data security at your construction company?

Consult an Advisor

You might be surprised to learn the construction industry is at the highest risk of being targeted by ransomware attacks.

That’s according to Nordlocker, an encryption software firm, which performs an annual study to discover the industries most targeted by ransomware attacks. Construction ranked first in two of the last three years.

Cyber criminals see the construction sector as a potential weak and easy target to attack. One reason is the industry’s reliance on many computer programs, including computer-aided design (CAD), building information modelling (BIM), and cloud-based tools for collaboration. Another reason is many construction companies have either a limited cybersecurity plan or none at all, and haven’t adequately trained their employees on identifying cyberattacks.

Types of cyberattacks in construction


Ransomware is when attackers encrypt or lock away an organization’s data and demand payment to restore access. After a company has been compromised by ransomware, there aren’t many options available to mitigate the financial loss. While they can pay out what the attacker demands immediately, there is no guarantee the ransomware will be removed.

Fraudulent wire transfers

Social engineering and phishing scams are frequent and effective methods of scamming and hacking. Through impersonation and compromised business emails, attackers will often target a construction company’s online financial transactions. Cyber criminals attempt to impersonate an authority (like a CEO) and speak or write with urgency to appear legitimate so the victim does not second guess the wire transfer.

Data theft

The construction industry faces frequent attacks to steal intellectual property and private data. Cyber criminals commit data theft because social security and credit card numbers, as well as personal information of employees, vendors, and customers are very valuable to other criminals.

The reputational damage that often comes with data breaches further burdens construction companies. Also, any blueprints, designs, methodology, patents, or other proprietary intellectual property is at serious risk if appropriate steps to mitigate cyberattacks are not taken.

6 steps to mitigate cyberattacks

  1. Privilege access management — Regularly monitor and review access rights to information.
  2. Data governance and security — Categorize data based on sensitivity; prioritize protecting the most valuable data.
  3. Frequent secure backups — Backing up information can help reduce information and systems lost during attacks.
  4. Educate team members— Educate your team so members understand the cyber risks affecting your industry and how to identify and report social engineering attempts.
  5. Establish cybersecurity regulations in contracts — Reduce third-party risks by verifying external partners adhere to an appropriate cybersecurity policy.
  6. Implement an incident response plan — Determine actions to be taken after a potential cyberattack to mitigate losses.

How we can help

Risk planning is the first step in risk reduction. Information security involves protecting your business as comprehensively as possible, from confidentiality to integrity to availability.

CLA’s cybersecurity team has a deep understanding of the threats your company faces and how to help keep your organization safe. Contact us to get started.

Experience the CLA Promise