News & Press

As Published in CIC Construction News – July 2025

By Phillip Ross, CPA, CGMA, Anchin
Partner & Co-Leader, Construction Industry Group

Cyberattacks are no longer rare events or problems exclusive to Fortune 500 tech firms—they’re a growing threat that spans every industry and company size, including construction. As firms increasingly rely on digital platforms, remote jobsite technology, and third-party vendors, their exposure to cyber risks multiplies. Proactive cybersecurity is now essential for minimizing risk, safeguarding sensitive data, and avoiding potentially heavy financial, legal, and reputational consequences.

Despite the growing frequency of breaches, many construction firms still don’t think it could happen to their company, assuming hackers target only large corporations or data-heavy businesses. In reality, construction companies—especially those handling public contracts or sensitive project data—are often attractive targets. Public-sector work typically involves detailed plans, financials, and infrastructure information, making confidentiality and data protection essential. Many government agencies now require contractors to meet specific cybersecurity standards as a condition of doing business. Firms that cannot demonstrate strong digital safeguards may be deemed noncompliant or ineligible for certain public projects.

Many cyber incidents are not caused by sophisticated hacking, but by simple human error. Employees might click on a phishing email, use weak passwords, fall for social engineering scams, or fail to update their software, exposing critical systems. In today’s remote and hybrid work environments, unsecured home networks and personal devices only increase the risk.

Many construction firms have not developed a culture of cybersecurity awareness. Technology alone cannot protect a business if the people using it are not properly trained. Employee education is one of the most powerful—and cost-effective—ways to prevent a breach. Regular training on phishing awareness, password protocols, device security, and incident reporting can significantly reduce your exposure. Cybersecurity should be treated as a team effort, where every employee understands their role in protecting the business.

The financial toll of a cyberattack can be staggering, with consequences that ripple far beyond IT systems. A single incident can bring operations to a standstill, delaying construction timelines and resulting in substantial revenue loss. In October 2023, a global construction materials supplier, experienced a major cyberattack that forced the company to shut down key IT systems. The disruption impacted operations across multiple facilities, underscoring how a single breach can paralyze supply chains and project progress. Beyond lost productivity and revenue, companies in similar situations often face potential legal exposure, regulatory scrutiny, and reputational harm—especially if sensitive data tied to public infrastructure or client contracts is compromised. In some cases, such breaches can even trigger lawsuits from clients or partners affected by the delays or compromised information.

The damage to your reputation can be just as serious. A cyberattack can quickly erode client trust and strain relationships with subcontractors, vendors, and insurers. Public clients may terminate contracts or impose sanctions, and private clients may hesitate to work with a firm that has experienced a data breach. The average cost of a data breach in the United States now exceeds $8 million—a price tag most construction companies cannot afford to ignore. Given the financial and reputational risks, protections like cyber insurance and proactive employer education are not just a safety net – they are smart investments that can help mitigate losses, ensure business continuity, and demonstrate to stakeholders that your company takes cybersecurity seriously.

Strong cybersecurity doesn’t just reduce risk; it can also give your firm a competitive edge. Public and private clients alike are placing increased scrutiny on how contractors manage digital risk. Some government agencies now require adherence to frameworks like NIST (National Institute of Standards and Technology) guidelines or CMMC (Cybersecurity Maturity Model Certification) for contractors working on federal or infrastructure-related projects. Demonstrating compliance with these standards can help your firm qualify for—and win—valuable public contracts.

Beyond regulatory compliance, robust cybersecurity practices signal professionalism, reliability, and preparedness. These qualities are increasingly important in contractor evaluations, particularly for long-term or high-value projects. Firms with strong cybersecurity postures are also more attractive to insurers and investors, who value cyber resilience.

Cybersecurity is no longer optional—it’s a fundamental part of running a modern construction business, especially for firms pursuing public-sector work or managing sensitive client data. The good news is that many attacks are preventable. Building a strong cybersecurity program doesn’t have to be complex, but it does require leadership commitment, investment in systems, and, most critically, a focus on people.

A well-trained workforce, paired with the right technical safeguards, offers your best line of defense. Take action now to strengthen your resilience and position your firm for long-term success in both the private and public sectors.