Construction firms lost more than $5.2 billion to cyberattacks in 2022 alone. NCC Group's 2024 Annual Cyber Threat Monitor found the Industrials sector, which includes construction, experienced 27 percent of all global cyberattacks that year — a 15 percent increase from 2023.
These attacks are not abstract risk events. Four named firms tell the story.
Bouygues Construction was hit by a Maze cyberattack in January 2020. 237 computers encrypted. More than 1,000 terabytes of data frozen. Attackers published employee names, home addresses, phone numbers, social insurance numbers, banking details, and drug test results online. Ransom demand: 10 million euros. Bird Construction was hit a month earlier: 60 gigabytes of data frozen, $9 million CAD ransom demand. Skender Construction, a Chicago-based general contractor, was hit in March 2023: 1,067 individuals affected, personal information potentially accessed. Turner Construction has been hit twice — once by spear phishing that sent employee W-2 data to a fraudulent account, and once by a Ryuk attack that forced systems offline.
Construction firms hold uniquely valuable data and have historically underinvested in data security. The real question is why recovery was so costly and so slow. The answer is governance.
The data you hold matters more than you think
Your bid pricing database contains years of proprietary cost data. Your subcontractor financial qualifications contain bonding history, credit information, and firm financials. Your BIM models contain structural, mechanical, and systems data that took significant fees and labor to produce. Your project schedules contain critical path logic that competitors would pay to understand before a bid.
All of it lives in Procore, Primavera, Autodesk Docs, Vista, and BIM 360. Most of it is accessible to most of your team, because nobody defined access levels when the tools were adopted. When an attack hits a firm in that state, everything freezes. Recovery is slow because nobody knows which systems are essential, which data is authoritative, or who owns what.
54 percent of construction firms cite data protection as their gravest concern about AI adoption, per Dentons' Global AI Survey. Yet formal data governance structures remain rare. The majority of standard AI vendor contracts claim data usage rights beyond service delivery — meaning the tools your estimating team uses to speed takeoffs may be feeding your historical bid pricing and subcontractor financials into models that benefit competitors.
"Before any AI tool enters your firm, someone on your leadership team needs to be able to say: here is what the AI can see, here is what it can recommend, and here is what only a human approves. If you cannot say that today, the tool is not your first problem.
Four decisions before any vendor conversation
Which data types require what access level. Bid pricing and subcontractor financials should not be accessible to the same tools and roles as project scheduling. Define tiers now — before the tools arrive.
Which workflows AI can act on autonomously versus recommend only. Some decisions AI can make without review: formatting, data aggregation, routine reporting. Others require human approval: anything touching financial data, personnel records, or client deliverables.
Which vendor contract terms are non-negotiable. Before any AI vendor conversation, define your data usage boundaries: no training on proprietary data, no benchmarking against your cost history, data deletion rights on contract termination. These terms are negotiable before signing and nearly impossible to enforce after.
Who on your leadership team owns data governance decisions going forward. This belongs to a COO or VP of Operations — someone with authority over operational workflows and vendor relationships.
These decisions do not start with a vendor demo. They start with questions. Here are the ones we hear most often.
Our Discovery engagement exists for exactly this moment. Six weeks to build the governance framework, define the decision rights, and produce the Workflow Map before any vendor touches your data. The output is a framework your leadership team agrees on and a set of vendor contract requirements your legal team can enforce.
Humanity for what matters. AI for everything else.
