“We move dirt, we don’t have anything a hacker would want.” That statement, or some variation, is common among heavy civil construction companies that build roads, bridges, sewers and other civil infrastructure.
Suppliers and consultants echo similar sentiments: “We make pipe…,”, “We design roads…,”, “We sell traffic management….”
A cyberattack is less likely to force a complete shutdown of a jobsite as dramatically as it can critical infrastructure, such as a pipeline, utility, school, medical office, accounting firm, insurance company or any other business Mike Rowe wouldn’t feature on the TV show “Dirty Jobs.” Yet all heavy civil construction companies move something cybercriminals want: money.
Clever cybercriminals know that their payday is in the substantial dollar amounts involved in civil construction. Whether rehabilitating a bridge, repaving a major highway or replacing municipal sewer lines, the money involved in those projects is a tempting target for criminals.
Managing risk
Though ransomware attacks, like the one Colonial Pipeline experienced, happen to construction companies, they are not necessarily as lucrative for cyber criminals as other forms of attack. Unfortunately, most civil construction companies overlook those different forms of attack.
To avoid an attack, a company must implement three types of controls, technical, administrative and physical, to manage the risk of a cybersecurity incident effectively. Technical refers to setting up and maintaining cybersecurity systems, including antivirus, spam filters and firewalls. Administrative are policies regarding who has access to what information and what they’re allowed to do with it, procedures for onboarding and offboarding employees, and contingency plans when something goes wrong. Physical is the locking up of sensitive documents and jobsite iPads when not in use.
How a paving company almost lost $1 million
Without these guardrails, mishaps can happen. Unfortunately, a paving company in Ontario experienced a near-miss, almost costing them $1 million in cash flow. If the attack had occurred during the peak construction season, it would have been between $10 million and $15 million.
The facts of the incident
An accounts receivable employee looked through her junk folder. She noticed an email from her boss requesting a spreadsheet listing customers with outstanding balances and customer contact information for payment approvals. She salvaged the email from her junk folder and did what was asked of her. She exported the information from the accounting system and replied to her boss.
Later that day, she asked her boss if he had everything he needed. At that point, they both realized something was wrong. She had sent the list to a cybercriminal who had impersonated her boss. The subsequent investigation revealed the following:
- The email came from a free Gmail account, not a company email.
- The spam filter worked correctly, putting her email in her junk folder.
- The email system correctly identified the email as originating outside the company by adding a warning to the message: “Caution! Email is from an external source.”
- Human error caused the problem, but it wasn’t a simple oversight like accidentally clicking on a link.
- Despite enrolling in a security awareness training program to teach people to identify fraudulent emails, the employee hadn’t completed the training or testing.
- Even though security awareness training was in place, the company didn’t have a policy requiring employees to participate.
Based on these findings, the company concluded that the technical controls (spam filter and external banner) worked properly. However, the administrative controls didn’t work as expected and security awareness training was ineffective.
With no policy for security awareness training, the company had no legal recourse to discipline the employee. Despite complying with cyber insurance requirements by having security awareness training, the lack of an enforceable policy and the employee’s poor participation record meant any claim for losses would most likely be denied.
The heavy civil construction industry is no less vulnerable to cybercrime than any other sector, making cybersecurity a critical investment. By dedicating more resources to threat evaluation and protection, companies can fortify their defences.
The company recognized the resulting risks, including the possibility that criminals could use the stolen information for blackmail and the potential loss of $1 million. One week after the mishap, customers received legitimate-looking payment change notices supposedly from the company. The criminal(s) had purchased a domain name near-identical to the company, making distinguishing between legitimate and fraudulent email difficult.
Thankfully, none of the customers fell for the scam because they had been warned about the risk. The company reported the fraudulent domain, which led to its removal, and a new technical control was added to monitor for newly registered domains that resembled theirs.
Consulting firm blamed for a crime they didn’t commit
In another scary scenario, the owner of a consulting firm (Nick) received a notice from a client (a construction project owner) saying one of the firm’s employees stole $600,000 from them, and Nick’s company must repay it or face legal action. Nick was confused. The employee (John) had been with Nick for years and was trustworthy.
The client had received an email from John informing them a contractor working for the owner was changing banks and included instructions to redirect the next scheduled payment. When the contractor sent the next invoice to the client (not through John), they paid it according to John’s instructions.
However, after 60 days, the contractor hadn’t received payment and inquired about it. The client responded with proof of payment. The contractor informed the client that the banking information on the payment record was incorrect. The ensuing back-and-forth revealed the banking change notice came from John, not the contractor. Nonetheless, the client followed the change instructions. As the change notice came from John, the client concluded he had stolen the money and provided John’s original email to Nick as evidence. John denied sending the email to the client.
Investigation revealed that the original email and multiple follow-up emails to confirm the change were legitimately sent from John’s account. However, no trace of the email chain was found in John’s email account. Whoever sent the emails had insider knowledge of the contractor-client relationship. Investigation confirmed that John’s email account was protected with multi-factor authentication (MFA) without signs of being hacked.
The consulting firm’s employees all used personal laptops because the firm relied on a “bring-your-own-device” to work strategy. Since John’s laptop was not company property, he was responsible for his security, not Nick’s company. It appeared that John was either guilty and tried to cover his tracks, or he had been framed.
Nick’s security team discovered that John’s laptop had been accessed remotely, allowing someone to control everything, including John’s email. Their discovery explained how the perpetrator was familiar with the contractor-client relationship and how MFA was defeated. John used his laptop daily to access company email, so the remote criminal accessed John’s email through his computer and could do anything John could do. John was exonerated.
Nick explained the findings to the client, but they remained adamant that because the change request originated from an email belonging to Nick’s company, he was responsible for the $600,000 loss. Nick then questioned their change management and payment approval processes, since the change request obviously hadn’t been properly vetted. After those questions, the client withdrew the demand for reimbursement without providing a reason. However, they did fire Nick’s firm, so he didn’t come away unscathed.
Despite Nick’s company not doing anything wrong, a cybercriminal caused the loss of a client and almost $600,000. The investigation concluded that technical controls on John’s personal laptop were inadequate, the remote access “infection” was undetected and administrative controls at the client either didn’t exist or weren’t followed.
While Nick couldn’t influence the client’s security practices, he could prevent future incidents by strengthening his own. He implemented a complete security program, starting with a comprehensive risk assessment. Among Nick’s many risk-mitigation steps, he issued every employee a company-owned, properly secured laptop.
Top five security recommendations for 2026
No two businesses have the same risk profile or resources to manage it. So, not everyone would be as fortunate to only face minor consequences from a security incident as the companies in these examples did. Regardless of a company’s risk profile and resources, the following recommendations can be used to mitigate risk:
- Conduct regular security risk assessments, at least annually.
- Don’t treat information security as a one-and-done project. As cybercrimes become more sophisticated, security must evolve as part of a company’s continuous improvement strategy.
- Create a security culture through training, policies and procedures.
- Think, “It’s not a matter of if a cyberattack will happen, it’s when,” and create multiple layers of protection.
- Create and rehearse an incident response plan (IRP). To draw on a sports analogy, teams practice plays so that they know how to execute on game day. Do the same with your IRP.
The heavy civil construction industry is no less vulnerable to cybercrime than any other sector, making cybersecurity a critical investment. By dedicating more resources to threat evaluation and protection, companies can fortify their defences. A well-crafted risk management strategy combining technical, administrative and physical safeguards acts as a shield against devastating financial losses and reputational damage. Taking these steps could save a world of trouble.
Scott Birmingham, C.E.T., CIM, is the principal consultant of Birmingham Consulting Inc.