Behind the alarming rise of cyberattacks in the construction industry

Ransomware is considered the most significant cyber threat to the construction industry, in which each incident leads to an average of 24 days of downtime, a new report by global business insurer QBE warns.

To put that into context, a 2023 survey examining data resilience in the construction sector found 77% of respondents tolerate no more than five days without access to project documentation before experiencing severe operational impacts.

“A single ransomware incident can now derail an entire construction project,” comments Kyle Gray, the underwriter team lead for cyber at QBE Canada. “When access to drawings, project data or digital platforms is lost, costs escalate, project completion is put at risk and subcontractors feel the knock-on effect immediately.”

QBE cites a 2025 report by the cloud-security company Zscaler, which found a 410% year-on-year increase in internet of things (IoT) malware activity targeting the construction sector.

Why so many attacks in the construction sector?

One main reason is the increased adoption of digital tools such as building information modelling (BIM), connected operational technology (OT), and AI-driven systems across the construction industry. Such integration has expanded the cyberattack surface across the construction and infrastructure sector, QBE Canada says.

BIM technologies allow construction contractors to collaborate remotely on the same project, ensuring all participating parties share the same up-to-date view of key information such as building drawings and models.

Similarly, contractors are increasingly integrating information technology (IT), which manages business data and communications, with operational technologies (OT) used to control building processes and machinery.

Examples of OT include building automation systems that control HVAC (heating, ventilation and air conditioning), lighting, and energy use. OT also includes sensors and IoT devices that monitor temperature, vibration, occupancy, water flow, or equipment performance in homes and businesses.

Also in the news: What start-up MGAs need to find capacity partners

“If systems are not securely integrated, attackers who gain access to IT networks may be able to move laterally into OT environments undetected,” says a QBE report, From blueprints to breaches. “A 2026 report found that inadequate segmentation between IT and OT systems was a contributing factor in 81% of OT incident response cases in 2025.”

Twenty percent of cybercriminals in the study breached systems for the purpose of “disruption, destruction, [and] sabotage,” the report observes. But 17% are the result of state-sponsored espionage.

“Notably, many serious losses still stem from relatively basic issues: identity and access [i.e. password] management, legacy systems that cannot be easily patched, trusted third party access, and social engineering,” Gray says. “Addressing these fundamental cyber risks can significantly reduce both the severity and duration of disruptions.”

Canada’s proposed Critical Cyber Systems Protection Act (CCSPA) is expected to introduce new guidance for organizations operating critical national infrastructure and their supply chains.

“Organizations across the [construction and infrastructure] sector will need to adopt a more structured, risk-led and resilience-focused approach to cyber risk management,” QBE’s report states. “This includes strengthening governance, improving IT/OT security practices, and ensuring robust incident response planning is in place.”