A few years ago, when I started Novacore Builders, I was worried about things like delays in projects, the cost of materials, and the safety of workers. What about cybersecurity? That was something that tech companies took care of, not construction companies in Tampa. I was completely wrong in thinking that cybersecurity was not a concern for my business, and that misconception almost ruined it.
Let me tell you about the day that changed everything and what I’ve learned about keeping a construction company safe in a world that is becoming more digital.
The Call to Wake Up
March 2022, Tuesday morning. When I got to our office on Dale Mabry, I saw that Sandra, our project manager, was crying. “Everything is locked,” she said. The message on our screens was simple: “Your files have been encrypted. Pay $50,000 in Bitcoin within 72 hours or lose everything.”
Ransomware had attacked us.
All of the client contracts, architectural plans, employee records, financial data, and project schedules are encrypted. We were lucky to have backups, but they were three weeks old. The next 96 hours were awful. We missed the deadline to pay the ransom because we were talking to our IT consultant and the FBI (yes, they got involved). We never paid the ransom, but we lost about $180,000 in recovery costs, project delays, and one big client who couldn’t afford to have their schedule changed.
That event taught me that cybercriminals love to go after construction companies, and most contractors are not ready for it.
Why construction companies are easy targets
Construction is at a unique crossroads that makes us easy targets:
We deal with private information
People don’t know how much useful information we have.
We have plans for the building that show security systems, entry points, and valuable items
Money information from clients, subcontractors, and suppliers
Employees’ Social Security numbers and bank account information
Proprietary designs and bid information worth millions
Access codes for client systems and facilities
We don’t know much about technology
Most people who work in construction, including me at first, came up through the trades. We know how to build walls that can hold up weight and how to mix soil, but not how to make firewalls or encrypt data. Hackers take advantage of this lack of knowledge to find weaknesses.
We Work with a Lot of Other Companies
There are dozens of subcontractors, suppliers, architects, and engineers on every project. Every link could be a way in. Last year, a hacker used a concrete supplier’s hacked email account to send a $75,000 payment from one of our clients to a fake account.
We use equipment that is linked together.
IoT devices, drones for site surveys, connected heavy equipment, and cloud-based project management are all becoming more important in modern construction. Any connected device could pose a security risk.
Our margins are small.
Construction only makes a small amount of money (usually 3-7%). We sometimes underfund IT security because it doesn’t directly generate revenue. I have made this decision in the past, and it’s a cost-effective approach. Every day, we face cyber threats Attacks with ransomware
These are now the biggest threats. Criminals lock up your data and ask for money. From 2020 to 2023, the number of ransomware attacks on the construction industry rose by 937%. We’re targeted because we have important deadlines and often pay to avoid delays in our projects.
Business Email Compromise (BEC)
This is incredibly easy and works well. Hackers break into your email account, a client’s email account, or a vendor’s email account and send fake payment instructions. Last year, someone pretending to be our steel supplier sent us new wire transfer instructions that almost cost us $130,000. Our accountant’s healthy paranoia was the only thing that saved us.
Phishing and Social Engineering
These attacks take advantage of how people think. An employee gets an email that looks real. It could be from “the CEO” asking for an urgent wire transfer or from “Microsoft” warning about a security problem. A single click can put whole networks at risk.
Attacks on the Supply Chain
Hackers go after our smaller subcontractors and suppliers because they have weaker security. Then they use those connections to get into our systems. It’s akin to entering the digital world through an unguarded entryway.
Stealing Data
Competitors or companies from other countries steal client lists, bid information, or proprietary designs. This kind of industrial spying is harder to find, but it can be just as hazardous.
How I Changed Novacore’s Cybersecurity
After the ransomware attack, I spent a lot of time and money on cybersecurity. This is what really works for a medium-sized construction company:
Training for Security Awareness
Every worker, from the CEO to the janitor, gets cybersecurity training every three months. Every month, we run fake phishing campaigns. At first, 43% of employees clicked on bad links in tests. We’re down to 6% now. The human element serves as your primary and most effective safeguard.
I stressed that clicking on a suspicious link isn’t grounds for firing, but not reporting it is. We want people to feel safe admitting when they make a mistake so we can fix it quickly.
Everywhere you look, there is Multi-Factor Authentication (MFA).
MFA is needed for every system, including email, project management software, accounting, and more. Yes, it can be annoying at times. Yes, it is worth it. MFA thwarts approximately 99.9% of automatic attacks.
Backups that are separate
We have three backup systems: one on our computers, one in the cloud, and one offline. The offline backups are not connected to our network at all, and they are updated once a week. Ransomware can only encrypt accessible files. This three-tier plan costs us about $800 a month, but it would have saved us $180,000.
Email Authentication Protocols
We used SPF, DKIM, and DMARC to stop email spoofing. We also set up strict checks for any changes to payments. Every change to a wire transfer or bank account must be confirmed by phone with a known number, not one given in the email.
Dividing up the network
Our IT consultant helped us divide our network into parts. There are separate systems for managing projects, guest Wi-Fi, and finances. If one area is damaged, the damage is limited.
Requirements for vendor security
All of our major suppliers and subcontractors must now meet basic cybersecurity standards. It’s in the language of our contract. We need them to protect their systems to avoid liability.
Communications that are encrypted
Sensitive data, like financial and architectural information, is encrypted in transit and at rest. For big files, we use secure file-sharing sites instead of email attachments.
Regular Security Checks
We do vulnerability assessments every three months and penetration testing once a year. Having ethical hackers test our defenses reveals our vulnerabilities before criminals can exploit them.
Insurance for Cyber
We have $2 million in cyber liability insurance. It costs about $12,000 a year and covers forensics, legal fees, notification costs, and business interruptions. Read the policy carefully because many of them don’t cover ransomware payments or have strict conditions.
Plan for Responding to Incidents
We have a written and practiced plan for dealing with cyber incidents. Who should we call? How do we isolate the affected systems? How do we talk to our clients? When do we call the police? You don’t have time to think about this in a crisis.
Tips for putting things into practice in the real world
Begin with Quick Wins
You don’t need a lot of money. Begin with:
Use a password manager to make strong, unique passwords.
Authentication with more than one factor
Updates to software on a regular basis
Basic training for employees
Backups that aren’t online
These five steps deal with 80% of common threats and don’t cost much—mostly just time and discipline.
Include Security in Your Culture
Cybersecurity is one of the things we talk about in our weekly toolbox talks at Novacore, along with fall protection and electrical safety. We honor workers who tell us about strange emails. We’ve made our phishing tests more fun by giving out small prizes for being alert.
Realistic Budget
We now set aside 3–5% of our IT budget for security. That’s about $30,000 a year for a company our size. It seems like a lot of money, but remember that our ransomware attack cost six times that much.
Get Help from an Expert
I build things, but I’m not a cybersecurity expert. We work with a managed security service provider (MSSP) that watches over our systems around the clock, manages our firewalls, and gives us knowledge that we can’t afford to hire full-time. This costs about $2,500 a month, which is a lot less than hiring a full-time security professional.
Stay up-to-date on threats
I get cybersecurity newsletters for the construction industry and participate in local business forums where we talk about threats. A contractor friend told me last month about a new phishing campaign that was going after construction companies in the Tampa area. We told our staff right away.
The Return on Investment (ROI) of Cybersecurity
Some contractors consider cybersecurity to be just an expense. I consider it to be insurance for my business and an edge over my competitors.
We Get Bigger Deals
More and more, big businesses need their employees to have cybersecurity certifications. We got a $4.2 million Department of Defense contract that we wouldn’t have been able to get without our CMMC (Cybersecurity Maturity Model Certification) level 2 compliance.
We take care of our reputation.
Reputation is everything in the building business. One data breach that exposes client information can ruin years of building trust. Our strong security is a selling point in proposals.
We Stay Away from Huge Losses
Small and medium-sized businesses lose an average of $2.98 million when their data is stolen. We spend $30,000 a year on security, which is a cheap way to protect against that risk.
We make operations more efficient
Better IT hygiene means that your systems will crash less often, have less downtime, and run more smoothly. Better security practices actually made us more productive.
Looking Ahead: New Threats
The threat landscape is always changing. This is what keeps me up at night:
Attacks with AI
Criminals are using AI to create more realistic phishing emails, generate deepfake audio for social engineering, and conduct automated vulnerability scanning. The race for weapons is getting worse.
Growth of 5G and the Internet of Things
The more construction equipment that is connected, from smart tools to self-driving cars, the bigger our attack surface gets.
Risks of Quantum Computing
Quantum computers could break current encryption standards within the next ten years. We need to start making plans for cryptography after quantum computers.
Following the rules
Expect more rules about cybersecurity in construction, especially for contracts with the government. Staying ahead of compliance requirements will be a must for businesses that want to stay competitive.
Here is what I want to communicate to other contractors:
If you think, “We’re too small to be targeted” or “We don’t have anything worth stealing,” you’re wrong. Cybercriminals don’t care who they attack; they use bots to attack thousands of targets at once, looking for easy targets.
You’ve bought insurance, safety gear, and good tools. You should put the same effort into cybersecurity. The question isn’t whether you’ll face an attack, but rather when and if you’ll be prepared.
The construction industry is beginning to understand this, yet many contractors, like myself, are gaining knowledge through costly and painful experiences. Instead, learn from what I did wrong.
Important numbers and facts
Effect on the industry:
937% more ransomware attacks on the construction industry from 2020 to 2023
The average cost of a breach for construction companies is $2.98 million.
Hackers attacked 73% of construction companies in 2023.
Only 23% of construction companies have plans for what to do in case of an emergency.
Novacore Builders Metrics (After Implementation):
The click rate for phishing emails went down from 43% to 6%.
In 30 months, there were no successful breaches.
$30,000 a year for security vs. $180,000 for the last incident
100% of employees use MFA
Completion of quarterly security training: 98%
Common Ways to Attack:
54% of breaches were caused by phishing emails.
28% of incidents are ransomware.
12% of business emails are compromised.
Attacks on the supply chain: 6%
Questions that are often asked
Q: How much does a small construction company need to spend on cybersecurity?
A: You can get started with $5,000 to $10,000 for basic managed services, setting up MFA, backup solutions, and training your employees. As your business grows, make it bigger.
Q: Should we give in to ransomware demands?
A: The FBI says not to do it because there’s no guarantee you’ll get your data back and paying criminals. Instead, focus on your ability to prevent and recover.
Q: How can we check a vendor’s cybersecurity without being IT professionals?
A: Ask vendors to fill out a simple security questionnaire, keep cyber insurance, and use MFA. Think about making SOC 2 or ISO 27001 certification necessary for bigger vendors.
Q: What do construction companies do wrong most often when it comes to cybersecurity?
A: They think they’re not targets. The second biggest mistake is thinking of cybersecurity as just an IT problem and not a business risk that needs to be dealt with by leaders.
Q: How often should we make changes to our security?
A: When possible, software and systems should update on their own. Every three months, check your overall security posture, and once a year, do a full assessment.
Q: Can cybersecurity really help us get contracts?
A: Yes, of course. Cybersecurity certifications are now required for many business clients and all government contracts. It’s not just a nice-to-have anymore; it’s becoming a requirement.
Q: What should we do first today?
A: Turn on two-factor authentication for all email and financial systems. It’s free or cheap, and it stops almost all automated attacks right away.
Q: How do we find a balance between safety and productivity?
A: Good security shouldn’t get in the way of real users too much. Work with your IT provider to make solutions that are easy for users to use. It’s better to deal with a little trouble than to have a huge breach.
Final Thoughts
Cybersecurity is no longer an option in construction; it is essential for the survival and growth of businesses. The digital transformation of our industry makes things much easier, but it also makes things much more vulnerable to criminals who are actively taking advantage of it.
It has been hard but necessary for Novacore Builders to go from being a victim of ransomware to a company that cares about security. We now know that effective cybersecurity doesn’t need a lot of money or technical know-how. It just needs dedication, awareness, and smart partnerships with experts.
What we learned from our experience:
Awareness is the key: well-trained workers are your best defense.
Start with the basics: MFA, backups, and updates protect against most threats.
Don’t just think about how to stop attacks; think about what to do when they happen.
Security is a business issue because it affects contracts, reputation, and survival.
Investing pays off: it’s much cheaper to stop something from happening than to fix it.
The building industry made the world as we know it today. We can definitely implement the security measures we need to keep our businesses safe. The threats are real and getting worse, but so are the ways to deal with them. You must spend money on cybersecurity.
Don’t wait for someone else to wake you up. Today is the day to start building your digital defenses. In both cybersecurity and construction, a strong foundation is key.
