Key Takeaways

• Mid-size Carolinas contractors ($25M–$250M revenue) are now prime targets because they move large wire/ACH payments while typically lacking dedicated security teams.
• Cyber attacks on construction companies doubled from 2023 to 2024, with phishing attacks increasing by 83% and ransomware attacks by 41%.
• Common attacks include:
  • Ransomware-as-a-service operations
  • Business email compromise targeting wire transfers
  • Fake invoice schemes
  • Account takeovers on platforms like Procore and Sage
  • These often result in business disruption, operational downtime, and increased costs.
• Basic controls—multi-factor authentication on email and banking, wire callback protocols, endpoint protection, and immutable backups—can materially reduce risk within 90 days.
• Stronger cybersecurity now influences cyber insurance pricing, bond capacity, and owner prequalification scoring, making it a business investment rather than just an IT expense.

Why Construction Cybersecurity Demands Executive Attention Now

Since roughly 2020, the construction industry has shifted from a peripheral cyber target to a primary target. Cybersecurity is increasingly critical in the construction industry as it shifts from physical blueprints to digital tools like Building Information Modeling and cloud-based project management platforms. Commercial contractors in North and South Carolina sit in the attacker’s sweet spot: large enough to execute seven-figure wire transfers, small enough to lack a dedicated security team.

Unique Risk Factors in Construction

• Large wire and ACH transactions flow constantly.
• The workforce is distributed across job sites, field trailers, and remote locations.
• Email dependence remains high.
• Cloud systems like Procore, Sage, Bluebeam, and Microsoft 365 have expanded the attack surface dramatically.

Construction companies handle proprietary designs, 3D models, and confidential employee and client information. Safeguarding clients’ information is especially important for data privacy and regulatory compliance, as mishandling sensitive data can lead to legal and financial consequences in today’s digital environment.

For ownership and CFOs, this connects directly to familiar business risks: surety programs, general liability, EMR scores, prequalification, and owner expectations on critical infrastructure projects. This briefing is written from ABC Carolinas’ regional perspective for owners, CFOs, IT directors, and operations executives at merit shop contractors who need to understand why cybersecurity measures must move higher on the priority list.

The Construction Threat Model in 2024–2026

Consider a typical $50M–$150M commercial contractor: office in Charlotte, Raleigh, or Charleston; 150–400 employees; dozens of active subcontractors. Threat actors profile these construction firms using public bid lists, LinkedIn roles, and DOT bond documents to identify high-value targets. Construction organizations must integrate insurance and cybersecurity measures for comprehensive risk management, combining proactive cybersecurity strategies with appropriate coverage to protect their operations and data.

Threat Actor Tactics

• Attackers focus on three payoff channels:
  • Extorting via ransomware
  • Diverting funds via business email compromise
  • Stealing sensitive data for resale or extortion

Current patterns show a surge in claims from contractors in the $25M–$250M revenue band, with many cases tied to compromised Microsoft 365 accounts and unprotected VPNs.

Supply Chain Risks

The construction sector’s dependence on a vast network of subcontractors, vendors, and technology providers has intensified its exposure to supply chain and third-party cyber threats, as each partner brings their own systems and security practices, creating significant blind spots.

Common Attack Channels

Ransomware-as-a-Service and Data Extortion

Ransomware-as-a-service lets relatively unsophisticated criminals lease tools from groups like LockBit or BlackCat. These operations have specifically hit construction, engineering, and design firms since around 2021. Ransomware attacks are among the most common and successful forms of cyberattacks in the construction industry, forcing companies to pay substantial sums to regain access to their data.

Typical entry points include:

• Stolen passwords reused on VPNs or remote desktops
• Unpatched firewalls at the main office
• Malware deployed via malicious attachments or compromised links, often disguised as sub bids or change orders

Ransom demands frequently range from $250,000 to over $5 million, with negotiated payments sometimes between $75,000 and $1.5 million. Ransomware attacks can lock critical project management software and scheduling systems, stalling work on-site. The operational impacts are especially painful:

• Frozen accounting systems around payroll Fridays
• Locked project management databases
• Missed bid deadlines

Business Email Compromise and Wire Fraud Schemes

Business email compromise represents the most common and costly cyber loss for mid-size construction businesses. Attackers quietly monitor a compromised email account—often a CFO, controller, project manager, or AP clerk—for weeks to learn approval flows and payment timing.

Common social engineering tactics include:

• Impersonation of project managers or suppliers
• Phishing emails that appear to come from trusted executives or vendors

Common schemes include:

• Fraudulent bank instruction changes for major subcontractors
• Fake closing instructions for owner wires
• Slightly altered domain names sending believable payment requests

Typical loss ranges: Individual fraudulent wires from $75,000 to $1.2 million, sometimes multiple wires over weeks before detection. Because instructions often come from the company’s own mailbox, recovery from banks and insurers can be complex and only partially successful.

Fake Invoices, Platform Compromise, and Account Takeovers

Attackers abuse access to platforms commonly used by contractors in the Carolinas: Procore, Sage 300 Construction, Bluebeam Studio, DocuSign, and cloud file-sharing services like SharePoint, Box, and Dropbox. A compromised subcontractor account in Procore can be used to upload a revised pay app PDF with new wire instructions.

Risks include:

• Login reuse and lack of MFA makes it easy for attackers to pivot once they steal one set of credentials.
• Account takeover can lead to manipulation of drawings, specs, or RFIs, creating both financial and physical safety risks.
• Compromised accounts can result in revealing sensitive information to unauthorized parties, increasing the risk of data breaches and exposure of confidential project details.
• Compromised heavy machinery can put workers and civilians at risk of injury.

Contractors must view all core SaaS platforms as part of their cyber perimeter.

Why Construction Is a High-Value Cyber Target

The construction industry faces unique challenges that make it a prime target for cyber threats.

Intellectual Property Risks

• Construction firms manage high-value intellectual property, including proprietary designs, 3D models, and confidential employee and client information.
• There is a growing wave of digital threats targeting sensitive information, such as financial data and records, which are highly valuable to attackers seeking to exploit it for financial gain or corporate espionage.
• Unauthorized access to proprietary designs, bid data, and schematics can lead to corporate espionage or loss of competitive advantage.

Vendor and Legacy System Vulnerabilities

• Cybercriminals are increasingly targeting construction companies due to their reliance on third-party vendors and outdated legacy systems, which expose firms to new vulnerabilities and risks.

Personnel and Budget Challenges

• Construction companies often face challenges such as frequent personnel changes and inadequate cybersecurity budgets, which exacerbate their vulnerabilities to cyberattacks.

Large Transactions and Time Pressure

Project timelines, pay app cutoffs, and closing dates create pressure environments where finance teams are more likely to approve urgent payment changes without verification. Quarterly and month-end cycles make AP, AR, and billing teams especially vulnerable.

Key risk factors:

• Multi-million-dollar progress payments on NCDOT or SCDOT jobs, hospital projects, and university work create attractive targets.
• A breach can disrupt supply chains or result in lost tender information, impacting project timelines and budgets.
• Cyber incidents can also lead to unplanned costs for construction companies, as data breaches and attacks often cause unexpected financial damages and disruptions.
• Attackers know construction runs lean accounting teams, so a single person’s mailbox often becomes a single point of failure.

Distributed Job Sites and BYOD Devices

Field supervisors, foremen, and project engineers rely on personal smartphones and tablets to access email, drawings, and project apps—often without mobile device management. Public Wi-Fi at hotels, restaurants, and temporary site trailers increases the risk of credential theft.

Risks include:

• Lost or stolen phones and laptops can expose email, cloud storage, and VPN connections if not protected by device encryption and remote wipe capabilities.
• Common on-site behaviors, such as sharing passwords and forwarding files to personal email, create additional access points for attackers.

Supply Chain and Subcontractor Exposure

A typical Carolinas general contractor with an $80M annual book may manage hundreds of subcontracts and vendor relationships, each with varying levels of cyber maturity. Construction firms may deprioritize cybersecurity vetting of their supply chain partners in favor of speed and cost, which further compounds their risk.

Potential impacts:

• A breach in third-party software updates or a compromised equipment supplier can quickly propagate throughout an entire construction project, causing costly delays, data loss, or operational paralysis.
• Even with reasonable GC controls, weak links among subcontractors can lead to project-wide disruption.
• Similar supply chain risks are faced by other industries, and applying lessons learned from those sectors can help improve resilience and security in construction.

Real-World Impacts on Carolinas Contractors

The impact goes beyond data loss. Cyber incidents can destabilize project coordination and financial health. Regional brokers and incident responders report multi-day downtime of accounting systems, delayed payroll, and strained surety relationships following incidents.

Even if a ransom payment is not made, forensic, legal, and recovery costs can match or exceed a six-figure claim. In a relatively small Carolinas market, reputational harm from security incidents can affect prequalification and owner relationships for years.

Types of Incidents and Their Consequences

Operational Disruption: Payroll, Bids, and Project Delivery

• Ransomware or server outages can freeze payroll processing, forcing manual workarounds and emergency credit line draws.
• Locked estimating databases can cause teams to miss public bid deadlines, giving competitors an advantage.
• Cyberattacks targeting construction technology, such as IoT devices and BIM platforms, can disrupt operations, causing significant interruptions to project workflows, safety, and overall site management.
• Project management systems going offline complicate RFIs, submittals, and change order tracking.
• Contractual penalties may include liquidated damages, delay claims, or the owner’s right to declare default if critical systems are down for extended periods.

Financial and Insurance Consequences

• Incident costs typically include forensics, legal counsel, data restoration, and temporary systems—often totaling $250,000+ for a mid-size firm.
• In addition to financial losses, cyber incidents can result in legal issues, including regulatory penalties and liability for mishandling data.
• Cyber incidents can trigger premium increases, retention hikes, and tighter underwriting, similar to how losses affect workers’ comp EMR.
• Sureties and lenders increasingly ask about cyber controls during underwriting, potentially affecting bond capacity for 2025–2026 projects.
• Significant incidents may appear in prequalification responses, affecting future scoring and award decisions.

Core Cybersecurity Controls Every Carolinas Contractor Should Implement

This is a practical 90-day control roadmap prioritized for mid-size merit shop contractors with limited security staff. The focus is on controls that directly reduce the most common loss scenarios: BEC, ransomware, and platform account takeover.

To maintain strong construction cybersecurity, it is essential to regularly update software and systems, address known vulnerabilities, and proactively detect threats. Regular software updates and patching help eliminate security gaps that cybercriminals may exploit, ensuring your digital infrastructure remains resilient.

These controls are increasingly expected by cyber insurers, sureties, and sophisticated owners. Use this list in partnership with your IT team, MSP, and insurance broker.

Identity and Access

• Utilize multi-factor authentication (MFA) for:
  • All email accounts
  • VPN connections
  • Any system that can move money (banking, Sage, ERP, payroll)
• Enable conditional access policies in Microsoft 365 to block logins from high-risk locations.
• Use password managers for staff with broad system access.
• Limit administrative accounts, enforce strict access controls, and review shared generic accounts.

Endpoint, Network, and Email Protection

• Deploy modern endpoint detection and response (EDR) on all Windows laptops, desktops, and servers—office and field trailers.
• Replace legacy antivirus with solutions including behavioral detection and centralized monitoring.
• Implement a secure email gateway with phishing protection, URL rewriting, and attachment sandboxing tuned for construction workflows.
• Segment the network so accounting and project management systems are logically separated.
• Patch firewalls and VPN appliances within documented timeframes.

Backups and Incident Response

• Ensure backups are frequent, tested, and at least partially offline or immutable.
• Develop an Incident Response Plan documenting processes and procedures for responding to a cyber attack.
• Set up an incident response retainer with a reputable cybersecurity firm.
• Rehearse tabletop exercises with executives.

The Human Layer: Training, Culture, and Mobile Devices

Many data breaches begin with people—not technology—especially in AP, project admin, and field supervision roles. The goal is not to turn superintendents into IT experts but to give them practical patterns to recognize and simple rules to follow.

The construction industry has seen a significant increase in cyber incidents, with over one-third of companies reporting rises in phishing attacks, data breaches, and ransomware incidents as they adopt new technologies. Small companies are also frequent targets and must ensure their training programs are tailored to their scale and continuously adapt to evolving threats to stay protected.

Security Awareness for Field Supervisors and Project Teams

• Comprehensive cybersecurity training with regular updates is one of the most effective ways to mitigate cyber risk.
• Regular cybersecurity training should be mandatory for all employees and contractors to equip them to recognize phishing attempts and follow secure password practices.

Key red flags to cover:

• Last-minute bank account changes from subcontractors
• Emails bypassing normal approval chains
• Urgent requests outside normal hours

Integrate cyber topics into existing safety meetings and toolbox talks.

Practical Policies: Passwords, Email, and Document Handling

• Establish clear password standards: minimum length, no reuse, no sharing.
• Never approve bank changes solely via email.
• Use approved platforms like company SharePoint or Procore instead of ad hoc tools.
• Departing employees’ access should be deactivated the same day with documented offboarding.
• Policies should be short, plain-language, and incorporated into onboarding.

Mobile Device Management and BYOD Controls

• Enforce screen locks and device encryption on all mobile devices.
• Enable remote wipe for corporate data.
• Block access for rooted or jailbroken devices.
• Written BYOD agreements should clarify expectations and consent for remote wipe as a condition of accessing company systems.

Supply Chain and Subcontractor Cybersecurity

Mid-size contractors can’t solve cyber risk alone. You must raise the baseline for key subs, design partners, and software vendors by leveraging collaborative committees that help shape industry practices. Securing IoT devices, managing vendor access, and creating a formal incident response plan are critical to protecting sensitive project data and preventing ransomware attacks.

The rapid adoption of IoT devices and Building Information Modeling in construction has created new vulnerabilities, as these technologies often lack robust security features. These advancements introduce emerging threats, presenting unique security challenges and potential attack vectors that require proactive protection measures.

Cyber Prequalification and Intake Questions for Subs

Add 5–10 targeted cybersecurity questions to subcontractor prequalification:

• Do you use MFA on email?
• How do you verify bank account changes?
• What would you do if systems were encrypted mid-project?

Apply tiered expectations: higher standards for critical trades handling sensitive data. Request evidence of cyber insurance from larger subs on high-value projects.

Contract Language and Responsibility for Breaches

• Work with legal counsel to add cyber clauses defining expectations for protecting shared project data and reporting incidents.
• Specify notification timelines and cooperation obligations.
• Clarify responsibility for fraudulent payment details that originate from compromised subcontractor accounts.

Managing Software Vendors and Cloud Platforms

• Verify that platforms like Procore, Sage, Viewpoint, Bluebeam, and cloud storage support MFA, SSO, and audit logs—and ensure those features are enabled.
• Assign an internal owner for each critical platform responsible for user provisioning and access reviews.
• Maintain an inventory of all cloud services including shadow IT.

Insurance, Compliance, and Owner Expectations

Cyber risk is now embedded in insurance markets, federal contracting frameworks, and large-owner contract requirements. By 2024, most cyber insurers require specific controls similar to how workers’ compensation carriers rely on EMR.

Implementing routine risk assessments and ongoing evaluations of cybersecurity protocols enables companies to continually improve their cybersecurity defenses.

Cyber Insurance Underwriting and Coverage

• Cyber insurers now commonly require MFA, endpoint protection, and backups as conditions for coverage.
• Limits for mid-size contractors often fall in the $1M–$5M range.
• Align coverage with realistic scenarios: BEC and wire fraud, ransomware, business interruption, and incident response costs.
• Insurance policies are designed to mitigate the impact of a successful attack that results in data breaches or ransom payments, helping companies recover from these incidents.

ABC Carolinas members can explore insurance trust options that may incentivize strong cybersecurity postures with better pricing.

Owner Contract Requirements and Prequalification Scoring

• Owners increasingly ask about cyber controls in RFQs, especially for public, healthcare, and critical infrastructure projects.
• Strong cyber posture can positively influence owner confidence, similar to a strong safety record.
• Proactively prepare executive-level summaries of your cybersecurity program for major proposals.
• Review contract forms for notification timelines and data handling obligations.

CMMC and Federal Contractor Considerations

• The Cybersecurity Maturity Model Certification framework applies to Department of Defense work and contractors handling controlled unclassified information.
• Even Carolina contractors who aren’t primary defense contractors may feel CMMC pressure as subs on federal projects.
• Many core controls discussed here—MFA, backups, EDR, incident response planning—align with foundational CMMC practices.
• Firms targeting federal work should begin mapping current controls against NIST SP 800-171.

Your 90-Day Cybersecurity Roadmap

This is a prioritized, realistic plan for a mid-size Carolinas contractor to materially reduce cyber risk in three months. Leadership involvement is essential: executives must assign owners, approve budgets, and set expectations.

Days 1–30: Stabilize the Basics

1. Require MFA on all email, remote access, and financial systems.
2. Deploy EDR on all servers and workstations including field laptops.
3. Verify backups are recent, offline where possible, and restorable.
4. Implement wire transfer callback procedures for new or changed banking instructions.
5. Launch focused phishing-awareness briefing for AP, AR, and field supervisors.

Days 31–60: Strengthen Processes and Visibility

1. Document a basic incident response plan with leadership and vendor contacts.
2. Begin regular user-access reviews and remove unused accounts.
3. Enable advanced email security features.
4. Introduce password managers for high-access users.
5. Add cyber questions to subcontractor prequalification.

Days 61–90: Embed Cyber into Business and Risk Management

1. Review cyber insurance coverage with a construction-savvy broker.
2. Meet with key owners to demonstrate improvements.
3. Integrate cybersecurity topics into safety and leadership meetings.
4. Formalize BYOD and mobile device policies.
5. Identify longer-term investments for 12–24 month budgets.

How ABC Carolinas Can Help Members Advance Cybersecurity

ABC Carolinas serves as a partner for members navigating cybersecurity alongside broader safety, workforce, and risk management efforts. While not a cybersecurity vendor, the association curates resources, education, and peer connections to advance construction excellence across the Carolinas.

Member Education, Safety, and Workforce Programs

• ABC Carolinas can incorporate cybersecurity modules into existing safety and management education and leadership training.
• Members can attend webinars and briefings on BEC prevention, incident response, vendor risk, and related safety and management education.
• Cybersecurity awareness integrates naturally into apprenticeship and workforce development programs.
• The association connects members with vetted experts—insurance partners, legal counsel, MSSPs—who understand the Carolinas’ construction industry and can provide customized insurance solutions backed by trusted leadership.

Insurance Trust, Advocacy, and Peer Networking

• ABC Carolinas member insurance options may offer preferred terms for contractors implementing robust cybersecurity measures.
• The association monitors regulatory developments affecting data security on public projects.
• Networking events and roundtables provide forums where cyber risk and incident response playbooks can be discussed among peers, alongside broader construction safety, networking, and educational events.
• For broader digital transformation guidance, explore the AI for Contractors Practical Guide as a hub for digital best practices and consider ABC Carolinas membership to build connections and grow your business.

Frequently Asked Questions

These questions address practical concerns not fully covered above and are focused on Carolinas commercial contractors in the $25M–$250M range.

How much should a mid-size Carolinas contractor expect to invest in cybersecurity each year?

Many mid-size contractors should anticipate allocating a low single-digit percentage of annual revenue to IT overall, with a defined portion for security controls, training, and insurance. Firms in this range might see cyber-specific spending in the tens to low hundreds of thousands annually, depending on starting point and regulatory obligations. Treat cyber spend like safety: proportional to risk and adjusted as the business grows.

Who should be responsible for cybersecurity if we don’t have a dedicated security officer?

Responsibility typically rests with a combination of the executive team, the IT leader, an outsourced MSP, and the CFO or risk manager. Appoint a single internal cyber owner who coordinates efforts and manages relationships with outside experts. Ownership cannot be fully delegated to vendors—executives must stay engaged because key decisions involve business risk, contracts, and insurance.

What should we do in the first 24 hours after discovering a cyber incident?

• Contain by disconnecting affected systems.
• Preserve evidence—avoid wiping devices.
• Notify internal leadership immediately.
• Contact your cyber insurance carrier to access breach coaches, forensics, and legal guidance.
• Document actions taken and prepare basic internal communication.
• Don’t pay ransom or make public statements before consulting counsel.

How often should we update our cybersecurity program and policies?

• Conduct at least an annual formal review of policies and controls, with interim updates when major changes occur.
• Revisit specific controls like backups, MFA coverage, and access rights quarterly.
• Use insurance renewals and large project awards as natural triggers to reassess.

Are small subcontractors really expected to meet the same cybersecurity standards as large GCs?

The goal is not identical controls for every sub, but a realistic baseline scaled to their role. Larger subs handling major scopes or valuable data should meet higher standards. Encourage GCs to share educational resources—potentially through ABC Carolinas—so the entire project ecosystem improves together.