Request a DemoLog In(844) 692-0626
    • Americas
    • América Latina (Español)
    • Canada (English)
    • Canada (Français)
    • United States (English)
Request a DemoLog In
Construction Library
Go to Procore homepage
Subscribe to the Newsletter
LoginRequest a Demo
cta-construction-image

Take Your Knowledge to the Next Level

Unlock your career potential with our free educational courses on Health & Safety, Data in Construction, and more.

Learn More

—  7 min read

Construction Cybersecurity: Protecting Projects and People

By 

Last Updated Nov 13, 2024

By

Last Updated Nov 13, 2024

Cybersecurity in construction illustrated by construction pro using tablet surrounded by visualizations of tech symbols and numbers

From the streamlined workflows of project management software to the futuristic promises of robotics, tech is introducing opportunities that were previously unimaginable in the construction industry. But all that potential comes with new risks. 

The need for comprehensive cybersecurity in construction is more pressing than ever, as the industry increasingly adopts and relies on digital tools. Too often, cybersecurity is treated like an afterthought, something that is done in response to an incident. In reality, realizing the potential of new tools is dependent on having cybersecurity measures that protect their data, the projects on which they’re used and, most importantly, the people impacted by their use.

This article explores cybersecurity in construction, including the need for specialization, common threats and best practices.

Table of contents

The Importance of Cybersecurity in Construction

Part of the challenge of cybersecurity is the continuously evolving nature of cyber threats. Attackers and criminals are constantly searching for new ways to challenge or threaten systems. 

Several factors make the construction industry particularly vulnerable to cyber threats:

  • Increased Digitalization

    The industry is moving online — and quickly. Not only does this create more potential targets, it means many people are in the early stages of tech adoption and haven’t thoroughly considered how to protect themselves or their assets and tools.

  • Numerous Stakeholders

    The industry is made up of many stakeholders, including contractors, subcontractors, owners and government partners. Each stakeholder in a project can introduce a potential security weakness. The exchange and sharing of information between parties only increases those risks. 

  • The Presence of Outdated Systems

    Legacy systems and tools are still commonly used alongside new technologies. These older tools often aren’t equipped to handle modern threats or to securely work with newer systems.

  • High-value Projects and Data

    Construction projects usually require significant financial transactions and the exchange of sensitive and valuable data. This makes companies and contractors potentially alluring targets.

  • Critical Infrastructure Projects

    Construction companies often work on essential systems, such as water treatment plants or power plants. Cybercriminals sometimes target infrastructure because of its potential for large-scale disruption

Common Threats and Vulnerabilities

Construction companies should be aware of the most common cyber threats. 

ThreatDefinitionExample in construction
RansomwareMalicious software that captures a victim’s data and demands payment for its releaseA construction firm’s project files are captured from either a hard drive or a cloud-based solution. The files are encrypted so the company is unable to access them. This halts all progress on project until a ransom is paid to regain access.
Phishing scamsA bot or cybercriminal pretends to be a trustworthy source in order to obtain sensitive information from a companyAn employee receives an email that looks like it’s from a trusted vendor. They engage and input confidential login details that are used to obtain sensitive information about the company and its clients.
Data breachesUnauthorized access and gathering of dataHackers gain access to a construction company’s database. They steal the personal and financial information of clients and employees.
Man-in-the-middle attacksAn attacker secretly intercepts and possibly alters communication between two partiesAn outside entity intercepts financial transactions between a construction company and a supplier. The payment is redirected to an account controlled by the attacker.
Supply chain attacksAttacking a less secure partner or element of the supply chain to gain access to a larger target that is otherwise better securedA hacker targets a small subcontractor with low-security measures. The hacker gains access to the sub’s systems, including its project management system. Because the sub regularly works with the federal government, the attacker uses the project management system to gain information and access to an infrastructure project.

Common Misunderstandings

Misconceptions about cybersecurity are common in every industry, and they can lead to extreme vulnerabilities. Here are a few common ones, compared with their respective reality:

Common misunderstandingReality
“Security through obscurity”: Small contractors might believe they are less likely to be targeted because of their size or lack of prominence. There is zero obscurity on the internet. 
Every company or individual has sensitive information and an IP address, and are therefore vulnerable. Some hackers might even target smaller firms in hopes they have more lax security measures.
“DIY security is sufficient”: The belief that relying on team members who understand tech but don’t necessarily have expertise in cybersecurity is enough. The ever-evolving and complex nature of cyber threats can rarely be anticipated or handled by someone without expertise or up-to-date resources. Working with external experts or paying for comprehensive security solutions is more likely to ensure effective protection.
“IT can run security alone”: The belief that cybersecurity is solely the responsibility of the tech team. Cybersecurity should be a shared responsibility across an organization and involve input from various departments, including leadership, finance, sales and legal. The consequences of a cyber attack would impact more than just IT, so security should involve participation and understanding from many different departments. 

Best Practices for Cybersecurity in Construction

Threats are ever-evolving and security can look slightly different based on a company's needs and specialization. However, there are a few best practices that almost always increase the effectiveness of cybersecurity.

Invest in expertise.

Engaging with external consultants or investing in specialized security packages helps to make sure the latest information and resources inform security measures. For some larger companies, this might involve creating a specialized cybersecurity team. 

Some construction companies treat IT as a sort of auxiliary function, often entrusting important security tasks to team members without specialized training. Working with professionals who live and breathe technology and security is the most effective way to identify weaknesses and find up-to-date solutions.

Implement multi-factor authentication.

Multi-factor authentication is a quick and highly-effective way to add an extra layer of security to all systems. This also helps reduce the risk posed by individuals who might not be as careful or have as much understanding of risk.

Create a culture of security.

The effectiveness of cybersecurity often depends on a shared prioritization that permeates a whole organization. This isn’t to say that all team members need to become security specialists. People simply need to understand the risks, the purpose of new measures and how they contribute to or detract from overall security. Creating this culture often requires training employees on security awareness so they understand common threats, especially phishing scams to which they might be exposed.

Conduct regular security audits.

Much like project teams conduct routine safety inspections on a job site, cybersecurity audits should be done regularly to identify potential vulnerabilities and measure the effectiveness of security measures. External consultants can often do audits more effectively than internal team members, because they are able to see systems more objectively and with an outsider’s perspective.

Stay updated on what’s happening in construction.

Subscribe to Blueprint, Procore’s free construction newsletter, to get content from industry experts delivered straight to your inbox.

Subscribe
Man holding tablet in a construction site

Security Incident Response Plans

Security incidents happen, but you never want to find yourself saying, “What do I do now?” Incident response plans should be established as part of tech adoption, and should include procedures and systems for responding to, containing, recovering and communicating about security incidents. Key components of a plan include: 

  • Preparation and Training

    Team members should be familiar with the plan and know how to access it in the case of an incident. Training might include scenario rehearsals, one-pagers or feedback sessions.

  • Involving Experts

    Specialists should be consulted to develop and refine an incident response strategy, including how to contain an attack and how to communicate with clients about an incident.

  • Coordination with Legal and Insurance

    Collaboration with legal advisors and insurance agents helps a company withstand and recover from an attack by ensuring plans comply with rules and regulations and have all the necessary protections for the company and employees. 

Communicating About Cybersecurity

One of the great challenges of implementing cybersecurity measures is effectively communicating about them. Too often, people implementing the measures get lost in technical jargon. For an industry that has often been hesitant to adopt new technology, cybersecurity needs to be accessible and understandable. 

While many construction professionals aren’t experts in digital threats, they are highly specialized in their area of expertise. That’s a good thing. Effective cybersecurity doesn’t require them to retool, but it does require an understanding of the basics of cybersecurity and how each person contributes or detracts to organizational security. Conveying those things in terms that are easy to understand and translate is the responsibility of the people pushing and implementing change. Plain language, open communication and creating trust is a key part of all change management — and it's especially important for establishing comprehensive cybersecurity.

Was this article helpful?

Thank you for your submission.

0%

0%

You voted that this article was . Was this a mistake? If so, change your vote here.

Scroll less, learn more about construction.

Subscribe to The Blueprint, Procore’s construction newsletter, to get content from industry experts delivered straight to your inbox.

By clicking this button, you agree to our Privacy Notice and Terms of Service.

Thank you!

You’re signed up to receive The Blueprint newsletter from Procore. You can unsubscribe at any time.

Categories:

Construction Intelligence

Tags:

Technology

Written by

Jeff Sample

Jeff Sample has devoted the past 25+ years to transforming companies. Jeff optimizes companies throughout the construction industry by designing solutions, optimizing strategic advantages, and breaking down information silos. His passion for outdoor adventure and Ironman competitions garnered him the moniker, "The Ironman of IT." As an Industry Evangelist, Jeff promotes collaboration and the transformation of construction to help project teams reach their potential. His depth of IT experience in various industries and his passion for continuous improvement have made Jeff a popular speaker and vocal thought leader in construction, spending much of his time educating on multiple topics to better the industry.

View profile

James Hamilton

51 articles

James Hamilton is a writer based in Brooklyn, New York with experience in television, documentaries, journalism, comedy, and podcasts. His work has been featured on VICE TV and on The Moth. James was a writer and narrator for the show, VICE News Tonight, where he won an Emmy Award and was nominated for a Peabody Award.

View profile

Explore more helpful resources

article-image

How Reality Capture is Reshaping the Construction Industry

On any given day, the scene of a construction site is a place brimming with important information — for example, anything from the percent-complete of drywall install to location of...

article-image

How Construction Mapping Transforms Site Management

Gone are the days when construction teams relied solely on paper maps and manual sketches. Today, advanced digital tools are revolutionizing how construction sites are visualized and managed. With the...

article-image

Building Buy-In: 8 Keys to Improving Tech Adoption in Construction

Over the years, the construction industry has seen significant changes. New software and tools can be exciting, but without the right approach to evaluating and implementing new technology, even the...

article-image

Demystifying 3D Takeoffs in Construction

A construction takeoff refers to the process of using construction plans and documents to determine exactly what materials a contractor will need to complete a project. A 3D takeoff uses...

Procore is committed to advancing the construction industry by improving the lives of people working in construction, driving technology innovation, and building a global community of groundbreakers. Our connected global construction platform unites all stakeholders on a project with unlimited access to support and a business model designed for the construction industry.

LinkedIn Icon
LinkedIn
Facebook icon
Facebook
Twitter icon
Twitter
Instagram Icon
Instagram
YouTube icon
YouTube

Call us at (844) 692-0626 to speak with a product expert.

New to Procore?

  • What is Procore?
  • Procore Platform
  • Product Updates
  • ROI
  • Trust & Security
  • App Marketplace
  • Developers / API
  • Jobsite Industry News

About Procore

Apple LogoApple App StoreGoogle Play logoGoogle Play

Downloads

Apple LogoApple App StoreGoogle Play logoGoogle Play
  • Privacy Notice
  • Terms of Service
  • Do Not Sell Personal Information

© 2024 Procore Technologies, Inc.