Picture this: it’s late Friday, and a construction team is wrapping up ahead of schedule. Then a call comes in – a site tablet is locked. Project files are missing. A ransom demand sits onscreen. The breach didn’t originate internally. It stemmed from a partner.
Specifically, a landscape subcontractor’s credentials – three years old and still active. It’s easy to overlook that kind of vulnerability. After all, we’ve spent decades perfecting the logistics of physical builds, ensuring safety, schedules, and specs align. But while you’ve been busy laying concrete and coordinating projects, a parallel reality has taken root. Your project’s digital infrastructure, its data, access points, and connected partners, has become just as foundational. And in many cases, far more exposed.
This isn’t an article that will suggest locking everything down so tight that no one can work. But it’s important to know that asking basic questions (such as, “Who has access to this?”) should feel as routine as a safety inspection on site.
Is their exposure your liability?
In 2023, a mid-sized Canadian civil contractor was hit by a ransomware attack traced back to a third-party environmental firm. That firm had retained access to cloud-stored documents after project closeout – on an unmanaged laptop using shared login credentials. No malice, just oversight. But the result? Project delays, reputational damage, and weeks of cleanup (Source: Canadian Underwriter).
Modern construction is deeply interconnected. Subcontractors, suppliers, material vendors, specialty trades, consultants… they don’t just show up with tools or deliveries anymore. They log in. They download specs. They join shared drives, submit bids through procurement platforms, and/or access project schedules in real time.
It’s not inherently bad – it’s actually efficient. But with each digital handshake, another access point opens. And very few general contractors, developers, design-build firms – even law firms – have a complete picture of who’s plugged into their systems, from where, and with what level of security maturity. When they connect to your environment, their exposure becomes your liability.
Cybersecurity vs. information security: the overlooked gap in construction
Let’s start with what’s really at stake. It’s not your systems or software; it’s information that can be converted into money. That’s what threat actors are after: plans, schedules, personnel files, bids, client information. In short, all types of data. Information security covers the full spectrum – digital data, physical documents, intellectual property, incident protocols, etc. Cybersecurity is a subfield of information security that only focuses on the technical controls (think firewalls, antivirus software, and the rest of the digital defenses).

Now here’s the disconnect: while your organization might have structured controls in place, what about the vendors and partners you both have access to, like files shared by owners, project managers, and lawyers? That’s often where things get murky.
Some are rock solid. Others still use personal Gmail accounts to access project portals. Some have no formal onboarding or offboarding process for user credentials. And some have never tested their incident response plan because, well, they don’t have one. So, no – if a subcontractor checks the “cybersecurity clause” in a contract, it doesn’t mean you’re risk-free. Because risk comes from how people behave when handling data.
Some of the tough questions to ask:
- Who manages user access on their end – and how often do they review it?
- Do they have an incident response plan for when they experience an incident? And within that plan, how quickly would you receive notification?
- Is there an actual person accountable for information security – not just an IT guy?
- Do they value the impact their security protocols might have on the contract – or are they just nodding through your compliance checklist?
You don’t need to get technical – just intentional
Leadership doesn’t need to know how the safety harness is engineered, but they do need to insist it’s worn. Information security is no different:
- Make individual access non-negotiable. Push for policies that eliminate shared logins across all subs and vendors.
- Set clear offboarding standards. Access for third parties should end automatically when the job does.
- Ensure your third-party suppliers value security. In your vendor qualification process, include questions about their security policies and procedures.
- Support healthy “cyber hygiene” for credentials between projects. Static passwords reused across sites are a silent liability.
- Short, consistent cyber-awareness talks. A few minutes a week can prevent thousands in downtime, just like daily safety talks prevent injury.
- Insist on mid-project access audits. Systems drift, and people accumulate privileges. Don’t wait for a breach to realize who still has keys.
When executives lead with clarity, the culture follows.
Addressing scope and capacity challenges
When you think about information security, your IT team probably comes to mind first – and for good reason. Because generally, they handle the technical defences: firewalls, malware scans, patching systems, and much more. But here’s the thing: IT departments juggle everything from complex network issues to user support. The bandwidth isn’t there to effectively oversee the full security picture.
This is because information security includes policies, physical security, and the human side of risk management, such as who has access to your job site’s sensitive info, how subcontractors are onboarded, or whether someone’s still using a shared login from last year. These areas often fall outside the IT team’s reach.
Leadership doesn’t need to know how the safety harness is engineered, but they do need to insist it’s worn.
Consider administrative procedures, like access control policies or managing vendor risk assessments. These critical controls fall outside the traditional scope of IT teams, yet they play a vital role in protecting organizational data. Such responsibilities require a broader perspective to maintain consistent application and accountability across the enterprise.
It’s increasingly common to engage external firms that provide virtual chief information security officer (vCISO) services or similar advisory roles. These services work in tandem with IT – IT teams focus on operational efficiency, while vCISOs concentrate on security.
Outsourcing in this way allows companies to holistically approach security, complementing the technical controls managed by IT. It also helps bridge the gap between technology-focused teams and the broader organizational needs around risk management and regulatory expectations. In other words, it’s not about utilizing your internal IT team more. It’s about reinforcing the work they do with supplemental expertise.
You set the tone – make it count
Subcontractors reflect the environment that leaders create. If security shows up in RFPs, onboarding, project closeouts, and executive reviews… it’s taken seriously.
Ask the tough questions. Encourage better habits. Support the people trying to do it right. You’ll send a quiet, powerful message that security matters. Not just because of the risk, but because it’s part of doing the job well. When things go smoothly, and they will, it’ll be because the entire organization helped build a smarter, more resilient way of working. One decision, one expectation at a time.
You already hold the blueprint. Time to build accordingly.
Scott Birmingham, C.E.T., C.I.M., is the founder of Birmingham Consulting Inc.

