Digital Progress, Digital Risk: Cybersecurity Challenges Facing Contractors
Key Highlights
-
Ransomware is hitting construction hard: Tight project schedules and large budgets make even a single day of downtime a costly—and attractive—target for cybercriminals
-
Fragmented tech stacks increase exposure: Poorly integrated software and outdated systems are driving misconfigurations, access issues, and elevated cyber risk across job sites and offices
-
Legacy systems remain a weak link: Nearly one-third of construction firms still rely on out-of-date software, often without modern detection or monitoring tools to stop an attack early
As the construction industry invests more heavily in digital technology, cybersecurity has become a growing concern. Cybercriminals are drawn to construction’s large budgets and sometimes lax security.
The tight timelines typically associated with construction projects make them prime targets for ransomware attacks, where even a day lost can mean thousands of dollars. Notable recent ransomware attacks include Bouygues Construction in France (where 200 gigabytes of data were locked according to Le Monde Informatique) and Canada’s Bird Construction h (where, according to CBC News, 60 gigabytes were frozen).
The complexity of construction projects can add to their vulnerability. The multiple parties involved (including architects, contractors, subcontractors and specialists) all require specific levels of data access and permission, and all personnel involved may require training in data hygiene and cybersecurity best practices.
With more than 15 years of experience in Information Technology—including the past eight years dedicated to Cybersecurity—Matthew Butler, CISSP, CISM, CRISC, is a cybersecurity professional specializing in protecting organizations from evolving digital threats. In his current role as Director, Cyber Risk Services for Travelers Insurance, he consults with policyholders to help strengthen their cyber teams and programs, leveraging Travelers’ suite of cyber risk management services to enhance cyber programs and reduce exposures to cyber incidents.
Butler spoke with CONTRACTOR about the emerging cybersecurity landscape, specifically as it pertains to the construction industry.
CONTRACTOR: The construction industry was, up until recently, slow to embrace digital transformation. Now that contractors are beginning to embrace it, are they similarly slow to invest in cybersecurity?
Matthew Butler: According to the 2025 Travelers Risk Index, 76% of construction leaders now agree that having proper cybersecurity controls in place is critical to their company’s well-being, and 75% say cybersecurity is championed by senior management, up eight points from 2024. This is indicative of the growing awareness and maturity across the sector. Moreover, 66% feel confident their company has implemented best practices to prevent or mitigate cyber events, a notable improvement from the prior year.
Contractors are recognizing that their reputations and operations depend on digital reliability. Reports of ransomware and vendor breaches in the industry have further motivated companies to be proactive and invest in stronger controls and cyber insurance.
CONTRACTOR: The big topic in construction tech these days is the “tech stack” —getting the right software components all working together at maximum efficiency. Are there inherent security vulnerabilities in adopting a haphazard or patchwork set of solutions?
Butler: So many software companies try to sell a stack of technology to fit everyone’s needs. Unfortunately, this is not always the most cost-effective method of securing an organization and some technologies inherently don’t work with others. When companies combine incompatible or poorly integrated solutions, they expose themselves to significant cybersecurity risks.
A fragmented system increases the likelihood of misconfigurations, inconsistent patching and user access issues—all of which create vulnerabilities. The 2025 Travelers Risk Index revealed that roughly 30% of construction firms face heightened exposure to risk as a result of outdated software.
Poorly integrated systems also require broader IT expertise that can increase costs and lead to technical oversights. For example, using both Mac and Windows systems without sufficient expertise and support for both systems can result in unforeseen and unrealized vulnerabilities.
CONTRACTOR: A great number of construction companies are dependent on legacy systems. Do these systems present their own sets of vulnerabilities, and if so, how can they best be addressed?
Butler: Legacy systems pose a major risk for construction companies. Many rely on outdated project management or control systems that may no longer receive security updates or vendor support, leaving organizations exposed.
This is a widespread issue across the industry. As noted above, approximately 30% of construction firms are using out-of-date software, and only 35% are using endpoint detection and response, an essential tool for protecting legacy and current systems alike.
For instance, we’ve seen companies still operating firewalls or network devices from defunct vendors. One company was using a firewall from an organization that went out of business in 2018. Needless to say, that left the company’s network in a position to be compromised.
To address these risks, firms should phase out unsupported technologies, segment legacy systems from critical networks and ensure robust compensating controls like multifactor authentication, monitoring and frequent data backups.