On-Site Magazine

Risk: Cyber attacks

By David Bowcott   

Construction Risk Management

Navigating a growing threat to the construction industry.

David Bowcott

There is absolutely no doubt that the digitally aware, and sometimes predictive, jobsite is allowing contractors to make better decisions faster, but when the jobsite is shipping data to the cloud and throughout the corporate structures of all construction stakeholders, the chance of cyber-attack cannot help but rise. As the construction sector continues to connect and integrate the component parts of the built environment digital twin, it is also increasing its exposure to digital vulnerabilities, or cyber threats.

These unwanted intrusions can take many forms. Some of the more common attacks in the construction sector include malware attacks, phishing, password attacks, man-in-the-middle, distributed denial-of-service, and exploitation of IoT component vulnerabilities.

A malware attack happens when someone implants malicious software viruses into the target company’s IT systems. Ransomware is, by far, one of the most common malware attacks facing the construction sector today.

Attempts to discover and use a victim’s password have existed almost as long as passwords have been around, but the technology and techniques used to crack the victim’s passwords have evolved. Once a password is cracked, the hacker gains access to formerly secure systems and data. Phishing attacks are a social engineering variant whereby the attacker impersonates somebody the victim trusts to gain access to funds or the victim’s technology systems. In a “man in the middle” attack, the attacker comes between two parties communicating in an attempt to steal and manipulate data.


Sometimes an attack is looking to disrupt a company’s operations, rather than gain access to data. Distributed denial-of-service attacks involve an attacker overwhelming the victim’s servers or networks with traffic to cause a computer system to crash.

With more and more devices having access to connected critical systems, Internet of Things (IoT) attacks are becoming more of a threat. An attacker who cracks a weakness in the security of a connected device may be able to take control of parts of the built environment, either during construction or in operations.

As more data emerges about cyber-attacks, we are learning that the construction sector is much more vulnerable to cyber-attack than other industries. In 2021, cloud content security and governance platform Egnyte published a report called The State of Ransomware Report for Architecture, Engineering and Construction. Among the highlights from that report were that AEC companies were more than twice as likely to a fall victim to a ransomware attack.

The report’s researchers found that a vast majority of reported attacks happen in North America, large companies are most at risk, and companies that have been victims of a ransomware attack once are likely to get hit again.

Based on the growth of digital solutions within the construction sector and the apparent increased risk to the construction sector specifically, it appears that construction stakeholders need to up their game when it comes to cyber security best practices.



To help your firm better navigate the growing threat of cyber-attack:

  • Appoint a Cyber Security Leader: Have somebody within your organization take on full or part time responsibility for tracking and managing cyber security.
  • Retain Cyber Security and Legal Experts: Don’t wait for a threat to occur. Get experts into your organization and have them identify the threats most likely to occur, given your organization’s operations, people and technology systems.
  • Know Your Data: Know the “what and where” when it comes to your data. What data do you have within your organization, and which is most vulnerable? Where is that data located, and how could it be put a risk?
  • Train Employees: Cyber attacks are often facilitated by employees. It is imperative that your organization trains employees to recognize, avoid and mitigate cyber threats. A key part of training is performing tests and “fire drills” with employees to see if the training is working, and if the response to an event is optimal.
  • Know Technology: Stay current on the technologies being used within your organization, and at your jobsites, in particular. Ensure you are assessing those technologies for vulnerabilities they may be creating.
  • Protect Money Movement: Ensure that all transfers of funds are highly secure. Many cyber threats target these funds. Weak fund-transfer protocols and practices increase vulnerabilities.
  • Use Virtual Private Networks: Use more than encryption and get everyone working on a VPN.
  • Use Risk Finance (Insurance): Though the market for cyber insurance is growing tighter with each passing year, invest time with your risk advisor/broker to find the ideal way to risk finance this growing risk.


There are many benefits to harnessing the power of digital in the construction space, so long as we don’t let the threats slow this very positive transformation. If you pay attention to the risks, you can ensure your organization reaps maximum benefit, and reduced risk, on your path to a fruitful digital future.


David Bowcott is the Managing Director, Construction, at NFP Corp. Please send comments to editor@on-sitemag.com.


Stories continue below