The State of Construction Cybersecurity
Shane Redman, Senior Director of Cybersecurity at Procore, opened with numbers to underscore just how pervasive cyber attacks are within the construction sector. Nearly half of construction firms reported experiencing a cyber attack in the past year, with breaches costing an average of $4.2 million and ransomware attacks causing an average of 21 days of downtime (Cybersecurity & Infrastructure Security Agency (CISA), IBM Cost of Data Breach Report 2024). For an industry built on tight schedules and thin margins, these disruptions are devastating.
Why has construction become such an attractive target? It comes down to three factors: valuable data, complex access networks, and time pressure. Construction projects contain highly valuable information including payment schedules, bids, blueprints, and proprietary methods, while bringing together general contractors, subcontractors, architects, and other vendors in interconnected systems where a single compromised account can provide lateral access across multiple companies. Attackers exploit the deadline-driven nature of construction, knowing that companies under time pressure are more likely to immediately prioritize the issue - or even cooperate with the attacker.
Four Pillars of Cybersecurity Awareness
The National Cybersecurity Alliance's "Secure Our World" 2025 annual campaign states that there are four essential security practices that all businesses should implement.
Use strong passwords and a password manager.
Turn on multifactor authentication.
Recognize and report scams.
Update your software.
Strong Passwords and Password Managers: It’s incredibly important for employees to move beyond simple passwords to more complex passphrases that combine uppercase and lowercase letters, numbers, and special characters.
Tip: Modern password managers can generate and store complex credentials, enabling unique passwords for each account without requiring users to memorize lengthy character combinations.
Multi-Factor Authentication: Account authentication should always consist of multiple layers of verification. Beyond an initial password, authentication methods may include biometric verification through fingerprints or facial recognition, codes sent through SMS or email, or other forms of identification that prevent unauthorized access even if passwords are compromised.
Tip: Always retain a secure copy of your recovery key just in case you lose access to your phone or computer. This will help you get back into your account fast.
Recognizing and Reporting Phishing: There are three key steps for identifying suspicious communications.
First, assess whether a message creates urgency or fear or uses language that seems designed to provoke quick, unthinking responses.
Second, look for red flags like slightly misspelled email addresses or poor grammar. Bad actors often use email addresses that appear legitimate at first glance but contain subtle differences, such as missing letters in domain names.
Third, if possible, pick up the phone and verify directly with the person that the message claims to be from. Remember, phishing can also come in the form of smishing, which is through a text message
Tip: If it feels “off,” go with your gut instinct and verify that the person and their request is legitimate.
Software Updates: Security patches often patch vulnerabilities that attackers exploit, and failing to apply updates leaves systems and hardware exposed to known threats.
Tip: Enable automatic updates whenever possible.
Real-World Threats in Action
Redman shared two compelling case studies that brought these concepts to life. In the first scenario, attackers compromised an executive's email account but didn't act immediately. Instead, they spent three weeks quietly observing, studying approval processes and payment cycles before modifying a legitimate invoice with different banking information and sending it from the compromised account using urgent language—an attack that was only prevented when the CFO made a verification phone call.
The second example involved a specialty subcontractor whose Gmail account was compromised. The attacker used the subcontractor's legitimate Procore access across multiple projects to send fake requests for information and submittals containing malware links, exploiting trust relationships between known collaborators. Procore's systems ultimately detected and stopped the attack, but it illustrated how modern threats exploit real workflows and trusted relationships rather than simply trying to breach firewalls.
Vetting Your Vendors
With regard to supply chain security, note that security is only as strong as the weakest link in your vendor network. There are five critical questions to ask when evaluating any technology vendor:
How do you enforce the principle of least privilege for your staff?
Where is data stored and how is it encrypted?
Do you have a documented incident response plan with guaranteed notification windows?
Do you require multi-factor authentication for internal admins and maintain regular patching schedules?
Can you provide independent proof through certifications like SOC 2 Type 2 or ISO 27001?
Asking these questions helps determine whether the vendor takes security seriously or simply claims that they do.
Building a Security-First Culture
Cybersecurity should be an ongoing cultural commitment at any modern business. Just as job sites require hard hats and personal protective equipment with "see something, say something" accountability, cybersecurity requires each employee to participate as part of the digital defense. Integrate security awareness training into employee onboarding, provide regular reminders about best practices, and ensure that all vendor contracts address security and liability concerns.
The Path Forward
Security is a shared responsibility. While Procore provides a highly secure platform infrastructure, any modern construction organization must maintain excellent cyber security hygiene. Below is the checklist Airon covered and is a great starting point for any organization to customize and use to create alignment and shared responsibility.
The construction industry's digital transformation has brought tremendous efficiency gains, but it has also created new vulnerabilities. With attackers specifically targeting the sector's valuable data, interconnected workflows, and time-sensitive operations, cybersecurity can no longer be treated as merely an IT concern. It must become a core competency for every construction professional, embedded in organizational culture.
To learn more, the recording from this webinar can be found here.
