LLM Cybersecurity is Now a Construction Cybersecurity Problem

In a previous article, we covered how to write effective AI prompts and the real productivity benefits LLMs can bring to construction estimating and operations. If you haven't read it yet, it's worth starting there. This article picks up where that one left off, because using AI tools well means understanding not just the upside but the risk. LLMs are powerful, and they are also a growing category of cybersecurity exposure that most construction businesses are not yet prepared for. Construction cybersecurity has a new frontier and here is what you need to know to minimize risk to your business.

Data Leakage and LLM Cybersecurity: Where Your Information Actually Goes

Data leakage is the most urgent risk for contractors using AI tools and it is one of the most widely misunderstood. It is not just about hackers getting into your systems. In many cases, it is built directly into how these tools work.

Free Tiers Are Not Free

If you are using the free version of any LLM, including ChatGPT, Claude, Gemini, or any other platform, your inputs are likely being used. That data is aggregated into the training sets that make these models smarter over time, and access to that data may also be sold to third parties to train other LLMs. When you paste a scope of work, a project description, or a takeoff into a free AI tool, that information does not stay with you. ChatGPT security settings on the free tier do not protect your inputs from being used for training, and the same applies across every other free platform.

Uploading Project Documents Is a Construction Cybersecurity Risk

Any project plans, specs, or company documents you upload into a free LLM are being harvested and aggregated into the same training data described above. For a construction contractor, this could mean that a detailed electrical scope of work, a mechanical spec sheet, or a project budget uploaded to get help drafting an RFI is now part of a dataset accessible beyond your organization. The simplest way to think about it is this: treat free tier AI tools the way you would treat a public forum and do not put anything in there you would not want the world to see. Protecting that information is a basic LLM security practice every contractor should have in place.

ChatGPT Security and Jailbreaking: A New Threat

There is a growing practice called jailbreaking LLMs, and it applies to ChatGPT as much as any other LLM platform. Users with advanced prompt engineering skills generate specific sequences of inputs that cause an LLM to reproduce content from its training data. This makes it possible to get some AI models to reveal the data they have been trained on. The threat landscape here is still developing, but it is real and it is evolving. Data you put into a free or paid LLM today could be surfaced by someone exploiting this technique tomorrow. Jailbreaking is one of the most rapidly evolving LLM security threats facing businesses today, and monitoring new research on mitigation strategies should be part of every contractor's construction cybersecurity practice.

Is ChatGPT Secure on a Paid Plan? Read the Terms of Service First.

Paid LLM subscriptions offer more protection, but not automatically. This applies to ChatGPT as much as any other paid LLM platform. The data privacy you actually receive depends entirely on the platform's terms of service, and not all platforms are equal. Read them before your team uses any paid AI tool for work, and specifically check whether the provider aggregates your data, uses it for training, or shares it with third parties. Making this part of your construction cybersecurity checklist is a simple step that can prevent a costly mistake.

Confidentiality: It Is Not Just Your Project Data at Stake

LLM cybersecurity is not just an internal business concern, and that is a distinction contractors often miss. The projects you work on belong to your clients too, which means data leakage carries consequences that go well beyond your own company.

Uploading project specs or plans into an LLM may violate your client's confidentiality expectations or in some cases your legal obligations. National defense projects carry significant restrictions on how project information can be handled, and using an unsecured AI tool to process that data can create serious compliance exposure. Private developers can have equally firm expectations about keeping the progress of their projects out of the public eye until they are ready.

Asking is ChatGPT secure enough for my client's project data is a question every contractor should be asking before they open a new chat. Before using any AI tool to process client project information, understand what your contract and your client's policies say about data handling.

Heavy Reliance on LLMs: Protect Your Competitive Edge

Over-reliance on LLMs is a business risk that sits alongside the construction cybersecurity threats in this article, but it operates differently. It does not come from a bad actor or a data breach. It comes from gradually handing over the judgment calls that define your company's value.

The competitive advantage in construction has always come from experienced estimators and operators who understand the work at a level no LLM can replicate. These tools do not carry 15 years of field knowledge, they do not know your suppliers, and they do not understand the nuances of how your team prices risk. LLM security concerns aside, the moment your business starts treating AI output as a finished product rather than a starting point, you are eroding the expertise that sets you apart. Every contractor has access to the same models. Your people are what competitors cannot copy.

Use LLMs to move faster. Do not use them to think for you.

Data Integrity: A Real Construction Cybersecurity Problem

LLMs hallucinate, and this is not a bug that will eventually get fixed. It is an inherent characteristic of how these models generate output, and even OpenAI acknowledges it. These tools predict what text should come next based on patterns, which means they can be confidently and completely wrong without any indication that something has gone sideways.

For construction estimating, that is a direct business risk. An incorrect material quantity, a missed specification requirement, or a fabricated code reference does not just look bad on paper. It costs real money on a project and can damage client relationships that took years to build. The output looks and reads like it was written by an expert, which makes errors easy to miss and that is exactly what makes it dangerous.

Every output from an LLM requires human review, every time, without exception. LLM output is a starting point and the responsibility to verify accuracy always stays with your team. The moment that review step gets skipped because the output looks right, you are exposed.

External Tool Access: An Overlooked LLM Security Risk

Most LLM platforms offer options to connect external tools, giving the AI access to your local files, drives, and systems. This is where LLM cybersecurity risk moves beyond data privacy into direct operational danger.

A prominent example is ChatGPT Connectors, available on paid ChatGPT plans. This feature allows ChatGPT to connect directly to Google Drive, Microsoft OneDrive, SharePoint, and other platforms, giving the model access to files stored in those systems. A team member enabling a ChatGPT Connector to your company SharePoint may not fully understand what they are opening up. There are documented cases where poorly constructed prompts have triggered an LLM with file system access to delete or corrupt content on a local machine or network, and this is not a theoretical concern.

If your team is using LLM tools with external file access enabled, have a rigorous and tested backup system in place before you start. Research any external tool integration thoroughly before enabling it for critical business files, and treat local file access permissions the same way you would treat any other system admin privilege.

Employee Control: Build Your LLM Security Policy Now

Your team is probably already using AI tools, and some of them are likely using personal accounts to do it. That means company data, including project details, client information, and internal documents, may be flowing into platforms your business has no visibility into and no control over. This is called shadow AI and it is one of the fastest growing construction cybersecurity blind spots today.

Developing a robust cybersecurity policy is the starting point. That policy should explicitly name which LLM tools are approved for work use, define what categories of data can and cannot be entered into any AI platform, and set clear consequences for violations. The goal is to make the rules clear before an incident forces the conversation.

Cybersecurity training that covers AI tool use is no longer optional, because your team needs to understand why these guardrails exist, not just that they do. A well-trained employee is your best defense against an accidental data breach. For general guidance and information, the Canadian Centre for Cyber Security is a strong starting point for businesses of all sizes. For dedicated employee cybersecurity training programs, NINJIO, CIRA Cybersecurity Awareness Training, and TrainingABC all offer structured options worth exploring for your team.

The Bottom Line

LLMs are genuinely useful and the previous article in this series covered the real productivity gains available to construction teams that learn to use these tools well. But usefulness does not cancel out risk. LLM security sits at the centre of a growing construction cybersecurity challenge: data leakage, confidentiality exposure, hallucinations, rogue file system access, and unmonitored employee AI use are all active risks for your business right now.

Use AI tools with intention. Know your platforms. Train your team. Verify everything. 

Newton is PataBid's AI assistant built specifically for the construction industry. It is tied directly into Quantify, hosted in Canada, and trained on construction data rather than the open Internet. To learn more visit www.patabid.com/newton.