Skip to main content

Article

Cybersecurity a growing focus as construction industry digitizes

As construction firms reap the benefits of modernizing their operations and processes, they should consider the need to enhance their focus on cybersecurity and cyber resilience.

The construction industry is in the midst of a broad-based increase in its use of digital technology — a necessary step to meet ambitious growth projections. As construction firms reap the benefits of modernizing their operations and processes, they should consider the need to enhance their focus on cybersecurity and cyber resilience.

Construction firms embrace new technology

Marsh’s Global construction risk review highlights the extent to which construction firms are currently using new technologies (see Figure 1). Based on a survey of major contractors, the report reveals that a wide variety of technologies are being employed, with contractors planning future investments in construction technology.

While new technologies present many opportunities for construction companies — including improvements in management, enhanced information flow, increased speed and accuracy, greater accountability, cost savings, and reduced risk — they can also elevate cyber risk.

For example, threat actors are probing new technologies and adapting their attack methods. And not all cyber incidents arise externally. Employees, especially those lacking adequate cyber awareness training, can make errors that lead to data breaches and other security incidents. 

Cyber trends: Construction companies see rise in cyber incidents

As technology use escalates, a significant portion of our survey respondents reported an increase in the frequency of cyber incidents over the past year (see Figure 2). More than one-third of construction companies said they have seen increases in phishing attacks, data breaches, and ransomware incidents. 

Christopher Demas, Technical Solutions and Innovation Leader at Marsh Construction, said: “The results of this survey broadly align with what we have been hearing from our clients, with no slow down of technological adoption in sight.

“As technology continues to build out efficiencies, the demand for implementation and use will certainly continue to grow, as will the need to share information outside of organizations. Whenever information sharing is requested, or even required, the risk for cyber infiltration expands and companies must ensure they have resiliency in order to respond to increased risk.

“Additionally, with the continuous expansion of program capabilities, partnerships, and M&A within the software space clients must expect and plan for fluctuations in their risk profile as their providers change with the market and data may be exposed more broadly than initially expected.”

Cyber Risks

Phishing

The rise in phishing comes as generative AI and deepfakes are leading to ever more sophisticated attacks. This highlights the need for companies to train employees  across a variety of cybersecurity areas, such as recognizing social engineering fraud. Employees are a key line of defence against social engineering and should be trained to recognize phishing emails and other threats. At the same time, the organization should be deploying effective cybersecurity controls t o prevent suspicious emails from reaching inboxes.

Data breaches and privacy risks

As companies increase their use of technology to generate, collect, and analyze real-time insights, they face increased risks related to the proper collection, use, and dissemination of the underlying data. It’s important to put in place a privacy strategy that ensures proper handling of data — including compliance with existing, changing, or emerging regulations — and protects both the company’s and its clients’ information.

Historically, privacy risks were tied exclusively to data breaches or specific security incidents. Now, though, privacy risk includes the unauthorized or wrongful collection, use, disclosure, or destruction of confidential information that may threaten an individual’s or an organization’s privacy. And this can happen without a data breach; for example, if an organization mishandles the data collection process. Losses can then build, including from regulatory and legal issues.

Ransomware

Over the past several years, ransomware has generated much of the publicity and media coverage around cyber incidents, in part due to the potentially high cost of a successful attack. As with all aspects of cyber risk, it’s important to keep in mind that the ransomware landscape continues to evolve. Recently, Marsh cyber specialists have seen ransom payment rates decline, on average, although some attackers have increased the frequency of attacks, others increased the severity, and some have done both. There is some indication that the decline in payments may be due in part to companies implementing stronger cyber controls, leading more companies to not pay ransoms.

Companies are also learning that, in many cases, the ransom payment does not lead to effective data decryption — or deletion — and may have little or no material reduction in overall impact. Strong overall cybersecurity controls remain a key to managing ransomware risk.

Supply chain risk

In this age of pervasive interconnectivity, it’s not enough to ensure that your own cyber risk controls are up to speed. As in other industries, supply chain and third-party relationships are among the areas to which construction firms should be paying significant attention.

Three-quarters of our construction survey respondents said that supply chain constraints led to some level of project delay in 2024. As managing supply chain disruption becomes more challenging, companies should be conducting thorough risk assessments of their suppliers and subcontractors — including evaluating their cyber hygiene.

Digital supply chain resilience is built on understanding the entire risk ecosystem. This means identifying and assessing potential risks from all sources, including third-party technology service providers, software, hardware, platforms, data stores, and business partners such as customers and suppliers.

Protecting progress

As construction companies increasingly digitize operations, exposure to cyber risk will increase. Construction organizations must manage cyber risk through a combined approach that integrates insurance and cybersecurity solutions, involving business, security, operational, and risk experts.

By adopting risk management strategies that include a comprehensive risk management program and cyber insurance, as well as maintaining a strong cybersecurity posture, construction companies can minimize the risk of cyber incidents and safeguard their sensitive data, operations, and reputation. Regularly reviewing and updating cybersecurity measures is crucial to adapt to evolving threats and technologies.

Related insights