Construction companies face unique cybersecurity challenges. Between distributed jobsites, mobile workers, large financial transactions, and the rise of connected equipment, construction is increasingly targeted by cybercriminals—especially for wire fraud and ransomware.
$550K
avg. BEC/wire fraud
loss in construction
300%
increase in attacks
on construction 2023-25
#5
most targeted
industry for ransomware
Wire Fraud Prevention (Critical)
Construction companies regularly make large payments to subcontractors and suppliers—making them prime targets for Business Email Compromise (BEC) fraud.
Payment Verification Procedures
- Verbal verification required for all payment method changes
- Call back on file number, NOT number in email
- Dual authorization for payments over $10,000
- Subcontractor/vendor banking info verified at onboarding
- Finance team trained specifically on BEC tactics
- External email warning banners enabled
Common Scam: Attackers compromise a subcontractor's email, then send a "routine" request to update banking information. Always call to verify—using a known phone number, not one provided in the email.
Field & Jobsite Security
Mobile Device Management
- MDM deployed on all field devices (phones, tablets)
- Remote wipe capability for lost/stolen devices
- Company data separated from personal on devices
- Project files accessible only through secure apps
- Offline access with encryption for remote sites
Jobsite Trailer & Equipment
- Trailer WiFi secured with strong passwords (no defaults)
- Jobsite network separate from main office
- VPN for accessing company systems from field
- GPS/telematics systems secured
- Connected equipment (cranes, excavators) on segmented network
Office & Core Systems
Construction Software Protection
- MFA on project management software (Procore, etc.)
- MFA on accounting/ERP system
- MFA on estimating and bidding platforms
- User access removed when employees leave projects
- Bid documents protected (competitive info)
Standard Security Controls
- Multi-factor authentication on all accounts
- EDR/advanced endpoint protection
- Email threat protection enabled
- Automatic software updates
- Security awareness training for all staff
Backup & Disaster Recovery
- Project files backed up (drawings, specs, contracts)
- Accounting/ERP data backed up with tested restores
- Estimating database protected
- Immutable backup copy (ransomware protection)
- Recovery procedures documented
- Business continuity plan for IT outages
Subcontractor & Vendor Security
- Subcontractor security assessed for large projects
- Shared project systems access controlled
- Vendor portal access reviewed regularly
- General contractor security requirements reviewed
Bonding Note: Some surety companies now ask about cybersecurity practices. Documented controls may improve your bonding capacity.
Save this checklist: Press Ctrl+P (Cmd+P on Mac) to save as PDF