Cybersecurity for Contractors: 6 Ways Your Company Is Opening Doors for Hackers

Updated Jul 15, 2022
Man sitting in front of his computer after a ransomware attack
According to the website, in 2020 -2021 nearly one out of every six construction firms reported a ransomware attack.
Getty Images

To the average construction company owner, cybersecurity may seem like a problem that only big corporations like Caterpillar, Microsoft or Amazon should worry about. But in fact, global cybercriminals know these big companies are almost impenetrable. Today’s hackers target smaller, more vulnerable enterprises, particularly construction companies.

According to a study conducted by, construction companies were the third most common type of industry to be targeted by hackers—more than 13 percent of the total. And according to the website, in 2020 - 2021 nearly one out of every six construction firms reported a ransomware attack. 

“Construction companies are one of the top targets for cybercriminals and the United States is the number one target on the planet,” says Nick Espinosa, chief security fanatic at the cybersecurity firm Security Fanatics. “In the last few years, the construction industry has woken up to the fact that its members need cybersecurity advice. There's a recognition now in a way that there hasn't been,” he says.

Why Construction?

Russ Young, vice president of growth, TennaRuss Young is vice president of growth for Tenna.Tenna“Construction companies are getting hacked way more often than you’re hearing about,” says Russ Young, chief business development officer at software company Tenna. The reasons are numerous, and well known in the hacker/cyber-criminal world. For instance:

  1. Construction companies often have inadequate firewalls or defenses against cyber-attacks. The anti-virus software that comes with consumer-grade computer systems and software is insufficient to thwart determined hackers.
  2. Modern construction requires the use of multiple digital systems, software and communications devices spread across numerous jobsites and offices. Young characterizes this situation using an analogy of a house with one exterior door and a house with a dozen doors. Which house is more vulnerable to burglary? Company executives and even IT staff may not know about all the devices used by the crews, or have them authorized, tested and integrated under one security umbrella. Once a cyber-criminal gains access through one of these dozen doors, they may have the run of the house.
  3. Construction company executives often think their data is not that important or worth a lot of money. “But it is valuable to you,” says Young. If suddenly all of the data is gone, how much are you willing to pay to get it back? Probably a lot.
  4. Remote work. Supervisors, estimators and other managers often take the laptops home with them at night or on the road for tradeshows, conferences and remote jobs. The Covid-related work-from-home trend has only exacerbated this problem. Things like motel or conference wifi, different cellular providers, or just your kids playing on your laptop at home, are all possible security risks.
  5. Likewise with subcontractors and vendors. If they have access to your systems, they could potentially be a backdoor source for hackers to exploit.
  6. Old computers, operating systems and virus protection are also threats. Eventually, Microsoft and Apple quit supporting older operating systems with security patches. Cyber-criminals scour the internet looking for these vulnerabilities. Plug one of these old computers into the internet and it will immediately be identified and swarmed, often by multiple hackers.

What Happens in a Cyber Attack

Nick Espinosa, Founder, Security FanaticsNick Espinosa is a cybersecurity expert and founder of Security Fanatics.Nick EspinosaCyber-criminals who target construction companies can damage your business in one of three ways, says Espinosa.

Ransom. Criminals hack into your system and lock up or remove the data you need to operate, then demand a ransom. As every contractor knows, work stoppages even for a day or two are terribly expensive. Cybersecurity consultants can sometimes negotiate a ransom payment down, but unless you’re well prepared, you’re still going to pay something. “Understand that the horse has left the barn at that point,” says Espinosa.

Fraudulent wire transfers. When a hacker finds a back door into your email or other systems, they will set up a fake email account that looks almost identical to the websites or emails of a vendor. Then they might send your CFO an email from this fake/duplicate account informing him or her that they are now using a new bank routing number and to process all payments through that number in the future.

Now, instead of payments going to your vendors they are going into this anonymous and untraceable bank account. Since the hackers can see all your company emails, they may even mirror the conversations and relationship details your legitimate vendors have with your CFO or other executives including asking about the wife and kids, how the weekend went, etc. Often these scams go undetected for weeks, or even months, until the real vendor demands to know why his payments are late.

Intellectual property theft. This is more of a problem for large companies with multiple patents and proprietary technology. Most contractors are users of intellectual property (i.e. telematics and GPS machine control) rather than producers. It would be possible for a hacker to get into a relatively unguarded construction company system and view bid documents, says Espinosa. But it’s unlikely. Too much effort for too little payoff.

What's Next?

In the next installments in this series on cybercrime and contractors we will look at:

  • What you must do when you are hit with a cyber attack
  • What to do to prevent cyber attacks
  • How to choose a good cybersecurity consultant and program
  • The details of cyber protocols you need to follow to qualify for bidding on Department of Defense infrastructure work, otherwise known as NIST SP 800-171, Cybersecurity Maturity Model Certification, and "Section 889 Part B." 

Nick Espinosa is a cybersecurity expert and founder of Security Fanatics. As the co-author of the bestselling cybersecurity book "Easy Prey," a TEDx Speaker and the host of The Deep Dive nationally syndicated radio show he has given presentations on this subject to numerous construction associations.

Espinosa contributed to the creation of the National Security Administration’s certified curriculum to help the cybersecurity/cyberwarfare community to defend our government, people and corporations from cyber threats globally. He is also a member of the Forbes Technology Council, and a frequent contributor to that magazine’s website.

Russ Young is vice president of growth for Tenna. He brings two decades of experience from Google, Amazon, Oracle and FMI in applying best practices for technology strategy selection and adoption.