The construction sector plays a fundamental role in shaping progress and economic growth. As with many industries, the adoption of new technologies can dramatically improve efficiency and productivity. And while embracing innovation is key, it’s also important to understand the potential risks that come with these advances. The construction industry is one of the most targeted by cyber threat actors, and malicious actors exploit organizations in a number of ways.
Cyber threat landscape
Emergence of Artificial Intelligence
The emergence of artificial intelligence (AI) is being applied in many facets of the construction industry to improve productivity and efficiency through automation. However, as these applications become more widely adopted, threat actors see an opportunity to manipulate existing AI applications in enterprises or to conduct attacks with greater speed, fewer errors, and more accuracy.
In construction, this can leave organizations vulnerable, as there isn’t always someone monitoring the activities of these applications. Working with a security operations team that monitors network activity 24 hours a day can reduce the impact of these threats.
Impacts of cyber attacks
Operational disturbance
For construction companies, project deadlines are everything. From meeting contractual obligations to reducing time on site to reducing safety risks, there are many benefits to being on time and completing projects in an orderly manner. A cyber attack can derail progress by halting operations.
Data loss and intellectual property theft
Because of the communication required on projects between owners, designers, general contractors and other parties, the exchange of data is almost constant. Enterprise email compromise has become a prevalent area of vulnerability due to the ability of threat actors to manipulate user accounts and divert legitimate emails quickly during a conversation when project participants intend to work quickly. Enterprise email compromise and ransomware can also lead to misdirected bank transfers, leading to the interception of data, contracts and intellectual property, leading to operational downtime and financial and reputational consequences.
In many cases, organizations must disclose data breaches after they have occurred, which can lead to a loss of customer trust and diminish or destroy your brand image, ultimately drowning your business’s reputation.
The Data
In September 2025, a resurgence of ransomware activity resulted in 562 publicly reported attacks, with construction and engineering the most affected sector, accounting for 11.4% of victims.1
In April 2024, a general contracting company suffered a ransomware attack that affected the personal data of over 1,000 employees. In this case, they hired an incident response company to help them recover. Because their backups were well established, they were able to recover all their data without paying the threat actor. Unfortunately, the data was already accessed, which required some individual cleanup for the affected employees.2
93% of attacks in 2024 started via a phishing campaign.3
The importance of security awareness training cannot be overstated.
Image: shotbydave / E+ via Getty Images
The cost of a breach
One of the main hurdles for organizations considering cybersecurity investment is determining where to start and which interventions will be most effective.
According to IBM’s Cost of a Data Breach 2025 report, here are some key elements that drove the biggest changes both positively and negatively while in effect in the event of a breach:
- $212,061 Security Analytics or SIEM (Security Information and Event Management): A SIEM system correlates all the data in your digital environment in one place. The ability to always see what’s happening around you is crucial to reducing the impact of a breach.
- $193,242 Proactive Threat Hunting – Finding anomalies in your environment before they become a breach or damage is a clear way to continually work to reduce breach costs.
- $168,361 Endpoint detection and response tools: Deploying response agents on all devices is an important step in preventing malware from being installed in your environment.
- $128,087 Managed Security Service Provider (MSSP): An MSSP provides the human element of managed security to respond to threats. Using different sets of technology tools, an MSSP’s analysts or engineers provide watchful eyes on threats, help communicate complex threats, and can help remediate active threats.
- $131,212 Remote workforce: During the era of COVID-19, many employers allowed employees to work remotely, which can open loopholes for threat actors to exploit. In construction, working and connecting to networks remotely is essential to operations, so it’s imperative to make sure you’ve properly configured and secured those connections.
- $175,010 IoT and OT Environment Affected: There can be hundreds of sensors, cameras, devices and types of machinery on a construction site, so this impact can be even greater in this industry than in others.
- $200,321 Shadow AI: Shadow AI is the use of AI tools that are unapproved, ungoverned, or misused. There are many different AI agents that are easily accessible and free, which could allow you to share sensitive information, scan documents, or display inaccurate information. Because of this, threat actors can exploit the tools if they are used outside of approved parameters.
- $227,244 Supply chain breach: In this industry, supply chains are an integral part of the operation. When an attack originates within the organization in which it originated, it can cause very negative downstream effects that affect the efficiency of a project, required materials, or end customers.
what can you do
Building a cyber-resilient construction company takes time, planning, and buy-in from everyone in your organization. Culturally, setting the tone for a cyber-aware employee base is imperative to combating cyber risk. You are only as strong as your weakest link. Fortunately, there are many different ways to defend your organization against persistent threats.
At SpearTip, we take our continuous learning from 24/7 threat analysis and apply it to the protection we offer our customers. Whether it’s assessing your current posture and preparing for a breach, continuously monitoring your endpoints or user behaviors for malicious activity with our 24/7 security operations center, or getting help during or after a breach with the deployment of our incident response team.
Sources:
- https://industrialcyber.co/ransomware/global-cyber-attacks-decline-but-ransomware-jumps-46-as-genai-threats-hit-education-telecom-government/
- https://www.constructiondive.com/news/skender-ransomware-attack-chicago-maine/712844/
- https://www.verizon.com/business/resources/reports/dbir./
