The construction industry has long downplayed cybersecurity risks, viewing them as a concern for tech firms, hospitals or banks rather than companies focused on moving dirt. But as the sector digitizes everything from project bids to payment systems, cyber threats are rising fast.
Scott Birmingham, a cybersecurity expert and founder and principal consultant at Birmingham Consulting Inc., says the current state of cybersecurity in Canadian construction is underrated. “Construction as an industry generally lags behind in adopting technology and adapting to technology, and this is that scenario. It’s the same thing [in cybersecurity], where the risks are increasing exponentially, but the construction industry is not adapting to that,” he said.
“I like to draw a parallel with safety. Depending on the company, [it] is a priority or not. Well, it’s been forced to become a priority with owners now insisting that you have some certification, whether it be ISO, whether it be COR, whatever it is, and if you don’t have that certification, then you’re disqualified off the top. So that forced everybody to actually up their game when it came to safety.”
He says that the same cultural shift is overdue for cybersecurity. Most construction companies lack proper security measures because they don’t consider their business a target. Additionally, the companies that do may not have the corresponding paperwork because there isn’t any legislation in place.
“Owners are starting to demand a certain level of security now because of document sharing going on and fund transfers and stuff like that, but generally, until there’s an external force, the industry isn’t going to make that investment. It’s unfortunate, but it’s true,” he said. “Clive Thurston, former president of the Ontario General Contractors Association, actually said to me that cyber is the new safety, and people just haven’t realized it yet. That’s where we’re at. It’s not being addressed, and it’s like insurance, you don’t think about it until you need it.”
“We move dirt. Why would anybody come after us?”
The problem, Birmingham says, starts with a lack of awareness. “A lot of times you hear, ‘Well, we’re a construction company, we dig holes in the ground. We move dirt. Why would anybody come after us?’ Well, you don’t just move dirt, you move a lot of money,” he said. And that’s exactly what makes construction such an appealing target for criminals.
“They don’t care about what you do. They don’t care about your information. They want your money any way they can get it, and that’s what people don’t realize,” he said. “People think, ‘Oh, I’m not a doctor’s office. I don’t have patient information,’ or, ‘Oh, I’m not a financial firm, I don’t have personal information, so therefore we’re not a target. The only personal information, private information we have is our employees.’ Well, OK, [you] got a thousand of them. That’s not a lot when it comes to the breaches you read about, but who cares? You’re moving millions of dollars.”
And when money is being moved, especially electronically, criminals will always find a way to intercept it. “There’s apathy and there’s willful ignorance, and the apathy is we don’t think it’s going to happen to us. The willful ignorance is that it’s a risk, but mentally saying, ‘It’s a risk I’m willing to accept,’ when it shouldn’t be,” Birmingham said.
The rise of AI-driven fraud
Cyber criminals today aren’t just sending phishing emails. They’re using advanced artificial intelligence tools to impersonate company executives and even deepfake their faces in real time. Birmingham describes one case where someone posing as the company’s CFO emailed an employee in charge of payments, asking them to transfer funds or update account details.
Sensing something was unusual, the employee replied to confirm the request. The supposed CFO then proposed a quick video call to clarify. During this virtual meeting, hosted on a platform like Teams or Zoom, the image and voice convincingly matched the real CFO. In reality, both the email and the video call were generated by AI in real time, tricking the employee into transferring company funds. The company ended up losing $25 million.
“Go beyond what you think you need by a little bit so that when criminals are thinking beyond what you have, you’ve got it covered.”
Scott Birmingham, Birmingham Consulting Inc.
What made this scam effective was that the fake CFO wasn’t a pre-recorded video, but a live AI-generated recreation. It reacted in real time, copying the real CFO’s gestures and voice, making it nearly impossible to distinguish. “It was real time. We could be doing this in real time. This might not be me; you might not be you. How do we tell? That’s how this whole fraud happened. With AI now and free AI services, it’s easy,” he said.
To counter this, Birmingham suggests companies establish verification protocols even in video and voice calls, such as using a safe word or code word that a fake AI person wouldn’t know. Another protocol is to ask who is on the other side to draw a smiley face, which, according to Birmingham, is very difficult for AI to do. While these examples might sound extreme, the reality is that AI-driven fraud is already being weaponized.
“It’s pretty sad now when we have to start putting in all these checks and balances in our regular everyday lives, but that’s how easy it’s becoming,” Birmingham said. “Let’s face it, construction executives are focused on money, getting the job done and winning the next bid. This stuff they’re not thinking about.”
Whose responsibility is cybersecurity?
Birmingham explains that one of the challenges in construction is that cybersecurity doesn’t clearly belong to any one department. That lack of ownership leads to blind spots, especially when working with subcontractors or remote employees.
“It doesn’t fall under IT, doesn’t fall under HR, doesn’t fall under finance … doesn’t fall under safety. Whose responsibility is it?” he said. “If people aren’t situationally aware from the [accounts payable] clerk all the way up to the CEO, CFO and different levels aren’t aware of what’s going on, what the potential risks are, then how do you protect yourself?”
He gives an example of a firm that discovered one of its employees was working from home on a personal computer that wasn’t secure. “A personal device got compromised and nobody knew about it, and so the bad guy was basically operating as this employee and sending out emails and saw everything that they did,” Birmingham said. “There’s organizational risk there, and coming back to the example of situational awareness, this particular director wasn’t aware of that until he put two and two together.”
When subcontractors are involved, the risks multiply. “You have a data or electronic supply chain as well,” he said. “If they get compromised, there’s a good chance you were compromised.” To reduce that exposure, he recommends running annual vendor risk assessments, with a questionnaire that companies send out to subcontractors and keep record of.
Going beyond firewalls and passwords
Most companies assume cybersecurity is purely technical – software, firewalls and encryption. But Birmingham says that’s only one-third of the equation.
“You’ve got three different areas when it comes to risk or to security,” he said. “One being technical controls you can put in place, that’s all the fancy stuff. That’s your spam filters, that’s your firewalls, that’s all the sexy stuff. A bigger piece, in my opinion, is what’s called administrative controls. Do you have policies in place to say how quickly you should be able to get back up and running if you have a problem? Do you have an incident response plan? It’s not just cybersecurity, it’s security. Policies and procedures. Very boring, but very, very valuable.”
And then there are physical controls. He says people don’t think about this a whole lot, but offices should have policies in place so that people can’t mess with the network and servers.
“Do you actually lock up your jobsite iPads? Do you have a policy in place for when that site superintendent is travelling and he stops at a Tim Horton’s to grab a coffee, actually goes in … that iPad is now out of sight and locked up in his truck? If not, somebody is going to walk by and see it on his seat and go smash the window and take it…. You say that’s a physical theft, but it leads to a data theft, and therefore a monetary theft,” he said.
Designing a security safety factor
Borrowing again from construction principles, Birmingham advises firms to build redundancy into their cybersecurity systems. “There’s the concept of a construction safety factor or a design safety factor,” he said. “You should do that with your security as well. Go beyond what you think you need by a little bit.”
Staying ahead in a fast-changing threat landscape
How quickly does cybercrime evolve? “Well, let me see. It’s now two o’clock eastern, my time. OK. Oh, 2:01, it changed,” Birmingham said. “It is that fast.” That’s why he strongly urges construction companies to act now and seek specialized help. “They need to have either a chief information security officer on staff, if they’re a big company, or some service to provide a fractional service if they’re smaller, whose job it is to help stay on top of those things.”
For companies without any cybersecurity program in place, Birmingham’s advice is simple: don’t wait to act. Start taking steps immediately, even if they are small. “You can’t manage what you can’t measure, so start off with a risk assessment,” he said. “If you don’t know where you’re at, start off small and build and do an initial risk assessment to identify your top five risks. We recommend an annual cycle that every quarter you’ve got specific areas of focus, and by the end of that year, now you do another risk assessment. You’re going to have a different top five if you’ve addressed those first top five or circumstances have changed.”
Sometimes, the outcome is even good news.
“Maybe that consultant walks away and says, ‘Look, you guys are in pretty good shape. The risks you have are minor. I wouldn’t worry about dealing with them.’ It might be good news,” he said. “It’s better to know than not know.”