Construction Security Needs Operational Discipline

Key quote:

Commercial, industrial, and large-scale residential construction sectors in regions relying on imported digital security systems such as North America, Europe, and Asia-Pacific are most impacted. However, tariffs are promoting domestic cybersecurity hardware production, driving innovation in locally developed security tools, and strengthening regional resilience across construction cybersecurity supply chains.

Why it matters:

I caught up with a friend in the construction industry over the weekend, and then spent a few minutes researching the related latest cybersecurity and business issues, because what else do you do at the lake? And what I found didn’t surprise me. Threat actors continue to target construction because their entry costs stay low and construction companies have money. Verizon’s Data Breach Investigations Report validated this with 843 incidents recorded, 95% of which stem from system intrusions, social engineering, or basic web attacks. And 525 of those breaches hit small firms with fewer than 1,000 employees, meaning smaller construction firms and their subcontractors face the same business problems as multinationals, in spite of having far less protection. Again, this speaks to the cost of entry for threat actors – why go after a difficult industry (finance, insurance, etc.) when construction’s easier to breach?

The FBI’s IC3 2025 Annual Report showed Business Email Compromise (BEC) generated over $3 billion in global losses alongside 24,768 complaints in construction. For contractors, this meant wired funds being sent to criminals instead of vendors. Some of the natural consequences extend beyond stolen cash to liquidated damages, penalties for missed milestones, and reputational damage blocking future bids. Research and Markets projects the construction cybersecurity market will increase from $7.07 billion in 2025 to $8.58 billion in 2026, a 21.3% compound annual growth rate that looks strong but ignores parts of reality. Most executives continue to misunderstand the business value of cybersecurity tools, while process gaps (sometimes easier and cheaper to fix) lack investment. Spending more money on tools alone doesn’t reduce business risks.

In construction, security is a part of business continuity planning. If a ransomware attack encrypts files used for estimates, it stops bidding, and if the building plans are encrypted, it stops building (which is the main thing construction companies do). General contractors now hold their subs accountable, which isn’t great in an industry where firms spend 1% of revenue on IT versus the 3-5% industry average. Compliance pressure helps only when technical risks map to business outcomes rather than just checking boxes, and there’s not a lot of compliance pressure in construction (CMMC is an exception but only affects a part of construction). Purchasing better AI-powered firewalls doesn’t do much if a controller wires funds to bad accounts, so simple controls like out-of-band verification can work better than fancy detection tools.

Construction companies need to consider taking a blended approach. Technical controls (firewalls, email detection, MFA, etc.) should be able to handle the ‘easy’ technical problems and be usable as evidence for reduced cyber insurance premiums. But those need to be coupled with process controls and people controls so that a single email can’t re-direct a multi-million dollar payment. And for cybersecurity vendors hoping to get a part of that 21.3% CAGR, they’re going to need to realize that executives at construction companies really don’t care about the latest shiny widget on your vendor comparison checklist, but they do care about lower insurance premiums and decreased risks of monetary loss from project delays or straight-up theft.