As digital tools become more central to how construction projects are designed, managed, and delivered, the industry is facing new risks that are not visible on a blueprint or measured in concrete. One of the most serious is the rise in cyberattacks. With cloud platforms, connected devices, and shared data now standard, construction projects have become prime targets, and many firms are not ready.
The numbers tell a clear story. In 2024, ransomware attacks on construction firms surged, with hundreds of companies hit by breaches that brought projects to a standstill. Critical files were locked, procurement systems taken over, and entire job sites disrupted all through the same digital tools meant to improve efficiency. These were not one-off events. They reflect a wider shift that highlights just how exposed construction has become in today’s digital landscape.
Historically, construction has not been viewed as a favourite target for cybercriminals. However, as the industry adopts remote collaboration, BIM (Building Information Modelling), and IoT-enabled equipment, its risk exposure has grown in parallel with its digital footprint. Fast-moving schedules, complex supply chains, and a web of subcontractors make it harder to maintain consistent security. In many cases, all it takes is a misconfigured cloud folder or a default password on a site sensor to open the door to a breach with wide-reaching consequences.
Unlike typical IT breaches, cyberattacks in construction can have direct, physical consequences. If project teams lose access to real-time models or schedules, progress can grind to a halt. When smart systems in buildings or equipment are compromised, safety on-site may be at risk. There have even been cases where hackers accessed smart locks and HVAC systems, showing that digital controls tied to physical infrastructure are vulnerable too. This risk is real, growing, and becoming harder to ignore.
Construction is especially vulnerable because of the speed and complexity of how projects are delivered. Data is shared across a wide network of stakeholders, each with their own systems and security standards. IoT devices are often installed on-site without proper oversight or long-term management. Even the digital platforms used to coordinate work can become weak spots if not properly secured. The result is a fragmented digital environment with uneven defences, exactly the kind of landscape attackers look for.
Even so, this challenge presents an opportunity for construction leaders, particularly those responsible for digital strategy and operational resilience, to lead the way. Cybersecurity should be woven into project delivery from the very beginning, not added later or left solely to the IT team. It deserves the same focus as budgeting, scheduling, and safety planning. For CIOs and senior executives overseeing large capital projects, this means factoring cyber risk into early planning, setting clear expectations for vendor compliance, and ensuring digital platforms are managed properly throughout the project.
The degree of risk associated with the use of AI in construction is worth noting. Data breaches to AI models sustained on sensitive data pose risks to both safety and competitive advantage if designs or blueprint information were leaked. Additionally, with modern construction sites becoming increasingly reliant on IoT devices, which have inherently low security, cybersecurity risks around these devices are becoming more prevalent. Breaches to sensors, management systems or wearable tech, to name a few, could lead to physical safety issues, supply chain exposures or even data integrity issues. From a regulatory perspective, mismanagement or breach of privacy data collected through AI-based surveillance, biometric time tracking or any other worker monitoring systems could lead to an incursion of a fine and loss of worker trust. The cybersecurity risks associated with AI cover a breadth of areas and have consequences from a business, safety and human standpoint.
Many leading firms are already taking steps in the right direction. They are setting access controls based on project roles instead of granting broad permissions. They are auditing BIM platforms and cloud systems to ensure secure configuration. Two-factor authentication is being introduced as standard practice, and vendors are expected to meet cybersecurity requirements before accessing shared tools. Just as importantly, teams across the project, from site supervisors to commercial managers, are being trained to spot phishing attempts, confirm communications, and understand what to do in the event of a breach.
The cost of a cyberattack on a live construction project extends far beyond ransom payments. Delays, reputational damage, contract disputes, and lost client confidence can all stem from a single vulnerability. By contrast, a proactive approach strengthens delivery, builds trust, and protects the integrity of increasingly digital project ecosystems.
Construction is undergoing a digital transformation. That progress should not be undermined by preventable risks. Cybersecurity must now be considered fundamental to how buildings are delivered, from early-stage procurement through to final commissioning. The firms that take this seriously and treat digital resilience as a core pillar of project success will lead the industry in setting a new standard for delivery in the connected era.
Nate Larmore and Joe Léger are, respectively, senior director for technology solutions and director of technology solutions at MGAC.
Read more: The culture of silence on data breaches has gone too far
