Cyber risk is now the number one concern for business leaders worldwide, meaning cyber resilience deserves the same discipline and focus as physical safety in the construction industry, writes Alessandro Lezzi, head of cyber risks at Beazley
The construction and property sector has undergone a profound digital transformation. BIM workflows, cloud-based project management, IoT-enabled site equipment and AI-driven scheduling tools have created real efficiency gains, while simultaneously exposing vulnerabilities that many businesses are dangerously underestimating.
Beazley’s Spotlight on Cyber Threats & Tech Advances 2026 report, drawing on a survey of over 3,500 global business leaders, paints a sobering picture. Cyber risk has become the number one concern for businesses globally, and commercial property and construction firms are no exception.
A sector under sustained attack
Almost a third (32%) of property and construction respondents in the report identified cyber risk as their top business concern, consistent with the global finding that cyber has pulled ahead of all other threat categories since 2024.
External data reinforces why. In September 2025 alone, a resurgence in ransomware activity resulted in 562 publicly reported attacks, with construction and engineering as the most affected sector, accounting for over one in 10 (11.4%) victims.
This exposure is structural. Construction projects depend on the constant exchange of sensitive information across a complex network of architects, engineers, subcontractors, suppliers and owner representatives, making the sector a natural target for espionage, fraud and ransomware extortion.
In April 2024, the Chicago-based Skender Construction fell victim to a devastating ransomware attack that compromised the personal data of more than 1,000 employees.
Although strong backup practices allowed full data recovery, significant remediation was still required. Beazley’s data shows that across the manufacturing industry a ransomware attack on a mid-size company takes an average of 11.6 days to restore operations, with financial, regulatory and reputational fallout stretching an additional six to 18 months.
This is only compounded for the construction sector, where a single day of system downtime can halt a project, disrupt subcontractor payments and trigger costly contractual penalties.
The confidence gap
The most striking finding is not threat awareness but the confidence that sits alongside it. Beazley’s survey reveals that 74% of property and construction executives say they feel prepared for cyber risk and 76% believe they could fully recover financially from an attack.
That confidence deserves scrutiny. It raises a bigger question: how well do executives really understand the full fallout of a cyber attack?
Globally, 82% of executives claim to be prepared for cyber risk, even as AI-enabled attacks are becoming more effective and nearly half of successful breaches in late 2025 involved accounts with multi-factor authentication already enabled. Cyber incidents have evolved far beyond isolated data breaches into sustained operational crises.
For construction firms operating on tight cash flows, even a brief business interruption can pose a significant liquidity risk. If a main contractor’s systems are locked by ransomware, subcontractor payments stall, site operations may halt and clients further up the chain absorb the disruption.
Consider a mid-sized contractor managing a mixed-use development. A ransomware attack locks their project management and BIM platforms mid-build.
Day one brings operational paralysis, but the consequences quickly snowball. Automated site systems controlling crane scheduling and environmental monitoring are disrupted, creating physical safety risks for employees and potentially lead to costly EPL lawsuits.
Then stolen tender data surfaces with a rival business months later, harming your competitive edge and ability to acquire new business. Next comes the shareholder revolt and questions around why controls weren’t stronger, leaving the company’s senior leadership exposed as D&O liability crystallises around governance failures that predated the attack.
Many executive assumptions about financial recovery underestimate the long tail of a cyber incident. Costs do not peak on day one; they accumulate over months through legal exposure, regulatory scrutiny, reputational damage and remediation. In an industry built on margins of 1.5%–3%, that extended impact can become a serious strategic threat.
Regulation is tightening
And cyber risk is increasingly becoming a complex regulatory concern. In the UK, the new Cyber Security & Resilience Bill sets enforceable obligations around how executives must prepare for, respond to and disclose cyber incidents.
The bill proposes to shorten incident reporting timeframes from 72 hours to 24 hours and would require notifications to be made both to the UK National Cyber Security Centre and to the relevant sectoral regulator. Failure to comply carries significant D&O liability implications, a material concern for senior leaders in large construction and property firms.
The practical implication is clear: compliance is no longer a question of whether regulations apply, but which ones, and where the overlaps lie.
Building resilience that holds
Cyber resilience requires an always-on approach. Preparedness is not a one-off exercise; it must be preventive, responsive and adaptive. That means regularly testing business continuity plans, assessing insurance cover honestly and managing supply chain risk.
The construction sector has spent decades embedding physical safety into culture and governance. Cyber resilience now deserves the same discipline. Confidence in recovery is only as strong as the planning behind it.
The post Cyber risk in construction: Why confidence may be the sector’s biggest vulnerability appeared first on Planning, Building & Construction Today.
