QBE has warned that ransomware is the construction industry's most significant cyber threat, with its research finding that each incident leads to an average of 24 days of downtime.
The findings come from a report produced with Control Risks on cyber exposure across construction and infrastructure.
The sector's growing use of digital tools has expanded the number of routes available to attackers. Building Information Modelling, connected operational technology and AI-led systems are becoming more common on projects, linking data systems more closely with equipment used on site.
That shift has increased the overlap between cyber risk and operational disruption. Where systems handling project data are connected to equipment controls, a breach can disrupt on-site workflows as well as office-based functions.
Survey data cited in the report showed that 79% of senior digital risk experts questioned by Control Risks viewed ransomware as the threat most likely to have a significant effect on construction organisations. The report said the impact can spread quickly across a project when access to drawings, data or shared digital platforms is blocked.
The report also pointed to rising activity targeting connected devices in the sector. Internet of Things malware targeting construction increased by 410% in 2025, while 81% of operational technology incidents involved inadequate separation from IT systems.
Wider exposure
Construction groups are often connected to broad networks of contractors, suppliers and subcontractors, creating multiple points of access to project systems. Shared platforms used for collaboration, remote access and project delivery can improve coordination, but they also increase exposure when security controls are weak.
Construction companies are rarely the main target of state-aligned cyber actors, but their role in delivering critical infrastructure leaves them exposed. Against a backdrop of geopolitical tension, attacks on supply chains and supporting industries can still disrupt major projects.
Kyle Gray, Underwriter Team Lead, Cyber, QBE Canada, said: "A single ransomware incident can now derail an entire construction project. When access to drawings, project data or digital platforms is lost, costs escalate, project completion is put at risk and subcontractors feel the knock-on effect immediately. Many construction firms still treat cyber resilience as an IT issue, but it needs to be considered alongside traditional project risks to deliver on time and reduce unforeseen costs."
His comments reflect a broader concern in the report that cyber planning is still too often separated from mainstream project risk management. Firms, brokers and risk managers should build cyber considerations into projects from the start rather than treat them as a standalone technology issue.
Planning and response
The report highlighted governance, supply chain visibility and tested incident response plans as priorities for the sector. That includes understanding who has access to shared systems, how networks are segmented and how quickly operations can recover if a platform or connected device is compromised.
Poor separation between IT and operational equipment was identified as a recurring weakness. In practice, that can allow a breach that begins in an administrative or communications system to spread into environments connected to physical operations.
For construction companies, the effects of an attack can extend beyond data loss. Site operations may stop, project schedules can slip and the disruption can spread through a chain of contractors working to fixed deadlines and budgets.
Gray said: "The risk profile of a cyber incident in construction has fundamentally changed. Many breaches now interrupt workflows, lock out critical systems and, in some cases, affect the physical environment through connected operational technology. The line between cyber risk and operational risk has effectively disappeared."