Building Safely in the Age of AI: Cybersecurity in Construction 

Cyberattacks are no longer a niche IT issue. The last two years have produced some of the most disruptive incidents in modern American corporate history, and the pattern is unmistakable: attackers are now hitting the operational backbone of US business. 

In February 2024, the ALPHV/BlackCat ransomware group breached Change Healthcare, the UnitedHealth Group subsidiary that processes roughly one in every three US patient records. Pharmacies, providers and billing operations were paralyzed across the country, with the company ultimately confirming that approximately 193 million Americans had their data exposed – the largest healthcare data breach on record. UnitedHealth has reported attack-related costs of more than $2.4 billion. 

In July 2025, Ingram Micro – the world’s largest IT distributor and a critical link between vendors like Microsoft, Cisco and Dell and tens of thousands of resellers – was hit by the SafePay ransomware group, with disruption estimated at up to $136 million in lost revenue per day. 

Together, these incidents demonstrate that even large organizations with significant security resources can be brought to a standstill – and that the wider supply chain often pays the heaviest price. 

CISA and the FBI continue to warn that ransomware is the most pervasive cyber threat to US businesses, and IBM’s 2024 Cost of a Data Breach Report puts the average US breach cost at $9.36 million – the highest of any country.  

For individual incidents, the cost can climb into the hundreds of millions once downtime, forensic investigation, recovery, regulatory penalties, class-action exposure and reputational damage are taken into account. 

US construction firms also face a fragmented compliance landscape. All 50 states now have data breach notification laws, each with its own definitions, timelines and notification thresholds – the Skender Construction breach in 2024, for example, was disclosed via a filing with the Maine Attorney General’s Office. Public companies have a four-business-day window to disclose material cyber incidents under the SEC’s 2023 rules.  

Healthcare-adjacent project data is subject to HIPAA, and any contractor working in the federal or Department of Defense supply chain must contend with NIST SP 800-171 and the Cybersecurity Maturity Model Certification (CMMC) program. 

Construction may not always appear in the headlines, but it is squarely in attackers’ sights. Large contract payments, complex supplier networks, and distributed workforces moving between jobsites create opportunities for fraud, ransomware and data theft.  

The March 2024 attack on Chicago-based general contractor Skender Construction is a clear example: the Underground Team ransomware group exfiltrated approximately 615 GB of data – architectural drawings, financial records and employee personal information – affecting more than 1,000 individuals.  

Skender was able to restore from backups without paying a ransom, but the data had already been accessed. Across the sector, 481 US construction firms appeared on ransomware data-leak sites in 2024 alone, a 41% year-over-year increase.

Artificial intelligence has the potential to significantly improve productivity in US construction, an industry that has historically lagged behind others in digital transformation. 

Today, AI is being explored across several areas of project delivery. Algorithms can analyze historical project data to forecast delays, identify cost risks and improve scheduling. 

AI-driven document management systems can categorize contracts, RFIs, submittals and invoices automatically, while predictive analytics can forecast equipment maintenance needs. 

Despite these possibilities, adoption remains uneven. Many organizations are still experimenting with pilot programs or proof-of-concept projects rather than rolling out AI at scale. 

Several factors contribute to this cautious approach. Fragmented data systems make it harder to build reliable AI models, while skills shortages and change management challenges can also slow adoption. 

Uncertainty around the accuracy of AI outputs and the return on investment remains a concern for many leaders. 

Another key issue is AI data security. AI tools rely on large volumes of data to operate effectively, and businesses are increasingly aware that poorly governed or protected data can create new vulnerabilities. 

US construction firms handle some of the most commercially sensitive data in the business ecosystem. 

Project budgets, bid pricing, subcontractor agreements, AIA-style pay applications, lien waivers, payroll records and client information all move through digital systems during the lifecycle of a project. On federally funded or Department of Defense work, that data may also touch contract clauses with security obligations of their own. 

When AI tools process this information, AI data security becomes a critical issue. Many general-purpose AI platforms process data through third-party cloud services or external pipelines. 

If sensitive documents are uploaded without proper safeguards, organizations may lose visibility over where their data is stored or how it is used. 

One emerging challenge is ‘shadow AI’. Employees experimenting with publicly available AI tools may unintentionally upload confidential project documents or financial information to save time. 

While the intent is usually productivity, the result can expose organizations to serious AI data security concerns – particularly when those tools train on submitted data or store it in jurisdictions with different protection standards. 

There are also regulatory considerations. Across all 50 states, breach notification laws require contractors to notify affected individuals (and often state attorneys general) within defined timeframes when personal information is compromised. Federal contractors must align to NIST SP 800-171 and, increasingly, hold Cybersecurity Maturity Model Certification (CMMC) to bid on Department of Defense work. Public companies must disclose material cyber incidents to the SEC within four business days of determining materiality. 

Failing to address these AI data security concerns can lead to contractual disputes, regulatory penalties, class-action lawsuits, reputational damage and costly project disruption.

While the risks are real, they can be managed with the right governance and technology foundations. 

Start with a data governance framework 

Construction businesses need clear visibility over their data – in particular, what information they hold, where it is stored and who can access it. 

Regular data audits can help identify vulnerabilities and ensure sensitive information is properly classified and protected. Aligning to a recognized framework such as the NIST Cybersecurity Framework (CSF) 2.0 gives a defensible baseline that is also widely understood by clients, insurers and federal contracting officers. 

Vet your AI vendors rigorously 

Technology partners should meet recognized security standards such as ISO 27001, an international certification that verifies a company has strong systems in place to manage and protect sensitive data, and SOC 2 reporting, the standard most US enterprises rely on for vendor due diligence. 

New frameworks such as ISO 42001, an international standard for the responsible development, management and governance of artificial intelligence systems, are also emerging to guide the oversight of AI.  

Train your people, not just your systems 

Access controls are critical. Role-based access systems ensure employees only see the information necessary for their role, reducing the risk of accidental exposure. 

Organizations should establish clear internal policies around AI use to prevent shadow AI practices and reduce AI data security concerns. Combined with phishing and social-engineering awareness training – the entry point for the majority of construction-sector incidents, including the Skender breach – this is one of the highest-return security investments a contractor can make. 

Choose industry-specific solutions over generic tools 

Construction-specific platforms integrate financial, project, equipment and workforce data within a single environment. This reduces the need for multiple external integrations and helps strengthen cybersecurity in construction by limiting the exposure of sensitive information. 

Together, these practices can help US construction businesses to address AI data security concerns while still benefiting from innovation. 

Purpose-built for construction, secured from the ground up

As construction businesses explore the potential of AI, many are looking for solutions that combine advanced capability with enterprise-grade security. 

Access Coins Evo has been designed with this balance in mind. 

As a construction-specific ERP platform, it brings financial management, project management, job costing, procurement and workforce systems together into a single environment. 

The platform is built to meet rigorous security standards, including ISO 27001 certification for information security management and ISO 42001 certification for the responsible governance of artificial intelligence. 

Hosted on Microsoft Azure infrastructure, Access Coins Evo also delivers enterprise-grade reliability with a 99.9% uptime guarantee backed by automated disaster recovery. 

AI that works within your security perimeter 

Crucially, Access Coins Evo’s AI capabilities operate within the platform’s security framework rather than relying on external tools or disconnected integrations. 

This approach allows organizations to benefit from AI-driven insights while maintaining control over their data. 

By embedding AI within a secure construction-specific environment, Access Coins Evo enables construction businesses to adopt AI confidently, knowing that sensitive project data remains protected.

Security within Access Coins Evo is implemented across multiple layers, from application-level controls to underlying infrastructure protections. 

Application security: controlling who sees what 

At the application level, granular role-based access controls ensure users only access the information relevant to their responsibilities. 

Additional safeguards such as segregation of duties, single sign-on authentication, and detailed auditing help prevent unauthorized access while maintaining accountability. 

Infrastructure security: built on Azure’s enterprise-grade foundation 

Infrastructure security is supported through Microsoft Azure’s enterprise-grade environment, including advanced physical data center protection, encrypted network connections and dedicated virtual networks for each customer environment. 

Data is protected using AES-256 encryption, a widely used method that converts information into secure code so it cannot be read without authorized access. 

The platform also incorporates extensive security testing. Hundreds of penetration tests are conducted annually to identify vulnerabilities before they can be exploited, supported by a secure software development lifecycle aligned with recognized industry standards. 

Compliance and certifications: meeting the highest standards 

• Access Coins Evo is supported by recognized security frameworks including ISO 27001 certification, an international standard showing a company has been independently audited and has strong systems in place to protect sensitive data and manage information security. 
• It also holds the ISO 42001 certification for AI governance – the international standard for responsible AI management – making us one of very few construction ERP providers certified at this level. 
• Access Coins Evo also complies with SOC 1 Type II – an independent audit that verifies a company’s systems and controls for managing financial data are secure and working effectively over time. 

These measures provide a robust foundation for secure digital operations within the Access Coins Evo system. 

As AI continues to reshape the construction industry, businesses need technology that supports innovation without compromising security. 

Access Coins Evo provides that balance, combining powerful AI capabilities with enterprise-grade data protection designed specifically for construction environments. 

By embedding AI within a secure, purpose-built ERP platform, it enables organizations to confidently adopt new technology while safeguarding sensitive project and financial data. 

To learn more about how Access Coins Evo can support secure, AI-enabled construction operations, explore the platform or speak with the Access Construction team.