Cyber Security In Construction

By Tracy Bennett, Editor of Connector

As the construction industry rapidly embraces digital transformation, it also faces a mounting threat: cybercrime. A recent cybersecurity panel brought together experts Satyam Verma, Construction Practice Leader at Egnyte, and Keith Tagliaferri, Director of Cyber Claims Practices at The Hartford, to explore how businesses in architecture, engineering, and construction (AEC) can defend themselves against today’s digital risks.

Explosive Data Growth—and Risk

Construction firms now manage an overwhelming amount of data. “The average AEC firm used to handle around three terabytes of data. Today, that

number has grown to 24 terabytes,” said Verma. “With this exponential growth in data, we are leaving ourselves greatly exposed without the right internal policies, external partnerships, and security measures in place.”

Verma explained that this explosion of cloud tools, often 15 to 600 apps in a single tech stack, has introduced countless vulnerabilities. “There are 600 potential locations where intellectual property and private data may be sitting in open-access repositories, even from projects that ended a decade ago.”

The Cyberattack Landscape

Keith Tagliaferri, whose team at The Hartford processes cyber insurance claims at the organization, categorized the most common and devastating types of cyberattacks:

1. Business Email Compromise (BEC) These scams trick employees into wiring money to fraudulent accounts. “They’re the most frequent,” said Tagliaferri, “but not the most severe, typically costing $30,000 to $200,000 per incident.”

2. Ransomware Attackers encrypt entire systems and demand ransoms, often in the millions. “The industry sees million-dollar ransomware attacks every day,” Tagliaferri noted. “The first question claims and incident response experts ask is: do you have backups? If the answer is no, we all know which route we’re headed down, and it’s typically not good.”

3. Data Breaches These continue to be prevalent and highly damaging, with costs varying depending on the type of data accessed and compliance obligations involved.

AEC: A Prime Target

Contrary to the common assumption that hackers only target financial or healthcare sectors, construction and manufacturing industries are now among the top targets. “We see construction ranking among the top industries for ransomware, business email compromise, and intrusions,” said Tagliaferri, referencing a recent report from cybersecurity vendor Arctic Wolf.

Prevention: What Actually Works

While the threat landscape may seem overwhelming, both panelists emphasized that most incidents are preventable with fundamental security hygiene.

Top cybersecurity measures that significantly reduce risk include:

• Multi-Factor Authentication (MFA) “That prompt on your phone that asks, ‘Is this really you?’ it works,” said Tagliaferri.

• Patching systems Keeping software updated to close known vulnerabilities.

• Segmented, tested data backups Not just having backups, but verifying they work.

“Sometimes companies think they’re backed up, but they’ve never tested it,” said Verma. “Do a failover test and pretend all your systems are gone and ask your IT provider to get you back up within 24 hours.”

• Employee training “We’ve seen that employee awareness and security training has the most impact outside of the basic software protections,” Verma added.

• Incident response plans Clear protocols help organizations react quickly and effectively when attacks occur.

Tagliaferri summarized the impact of these defenses simply: “Most of the incidents I’ve seen in recent years could’ve been prevented with just three things- MFA, backups, and patching.”

Cyber Insurance is More Than a Safety Net

Cyber insurance is more than just a policy, it’s a playbook. Policies typically include not only coverage for first-party losses like downtime and recovery but also access to breach response teams, forensics firms, and legal counsel.

When asked about past news coverage of some cyber claims not being paid, Tagliaferri said, “Most people only hear about the one cyber claim that doesn’t get paid, which often receives a lot of press. What you typically don’t hear about are the countless

cyber and data privacy claims that are paid by the industry each year,” Tagliaferri noted. “Having a good broker who helps you get the right coverage is key.”

Verma added, “Whether it’s the premium cost, ransom payments, or compliance fines—cybersecurity directly impacts your bottom line.”

Choose Both Cloud and On-Premise Backups

The panel also addressed a common question: should businesses rely on cloud services or maintain on-premise systems?

“The best answer is: both,” said Tagliaferri. “If you're hit in the cloud, you have your on-prem backups. If your building floods and your in-house servers go down, the cloud saves you. It's about redundancy.”

Verma agreed. “We’ve seen natural disasters be one of the biggest drivers for moving to the cloud. Hurricanes, fires—once you’re hit, that’s it.”

The Role of AI

AI is rapidly influencing the cyber landscape- for better and worse. “Cybercriminals are using AI for deepfakes and more sophisticated phishing attacks,” said Tagliaferri. “But defenders are also using AI-powered tools to detect threats in real-time. It’s an arms race.”

Verma emphasized the importance of AI governance. “Instead of letting employees use AI tools freely, organizations should define what’s allowed. For example, uploading sensitive documents to AI tools should be restricted.”

In a world where data is doubling and cyber threats are intensifying, proactive defense is no longer optional. As Tagliaferri warned, “For most companies, their first cyberattack is the worst day of their professional lives.” But with the right tools, training, and strategy, that day doesn’t have to come. •

Construction Ranks Among Top 5 of All Industries for Three Types of Cyberattacks

Tracy Bennett is Editor of Connector and President of Mighty Mo Media Partners