Industry insights


Heavily reliant on delivering projects on a timeline, construction organizations are prime targets for ransomware attacks that have the potential to disrupt business. There is also the risk of Intellectual Property (IP) theft of sensitive blueprints, as well as a potential breach of Artificial Intelligence (AI) powered autonomous vehicles. While the construction industry has historically avoided the cyber risk spotlight, vulnerabilities are increasing.

How does the construction industry stack up?

2.2 (basic)

The average CyQu rating for construction organizations globally is 2.2/4 (basic).

What this means

This rating indicates that cyber security maturity is at a basic level. Organizational cyber security risk management practices and technologies are not formalized, and risk is managed in an ad hoc and sometimes reactive manner. Risk management practices and technologies are not established organization-wide.

Explore the most pertinent cyber risks to construction organizations, map them to key cyber security controls, and determine actions your organization can take to close cyber security gaps.

Click below (+) to learn more

*Aon's Cyber Quotient Evaluation (CyQu) is a comprehensive cyber risk assessment that evaluates cyber risk across 9 security domains and 35 critical control areas.

Underpinned by proprietary data and expert insights, explore four key risk themes that are prominent to construction organizations today.

Read below to learn more

Navigate new exposures:

Rapid digital evolution

More than half (57%) of organizations do not undertake any form of penetration testing. This is not surprising, given the perception within construction that cyber risk is less critical for them. As this industry digitally matures, cyber risk will be more visible, and controls will need to be maintained.

Know your partners:

Third-party risk

Construction organizations are poorly positioned to manage third-party security risks with only 6% reporting having adequate measures in place.

With the emergence of Industrial Internet of Things (IIoT) in the built environment and the digital transformation of construction operations, third-party security risks represent a material exposure to this historically less digitally advanced industry sector.

Accordingly, construction organizations need to adopt security assessments during third-party vetting and onboarding processes, and include cyber insurance provisions and vendor security remediation requirements in third-party contracts.

Concentrate on controls:


59% of organizations have no formalized Business Continuity Management (BCM) process in place, and 69% of respondents have no formalized incident response process. As the industry moves to a more digital environment, the potential for serious disruption is likely to increase.

Perfect the basics:


Construction organizations have been slow to adopt good practices concerning data security and regulatory management. Only 14% of organizations report having adequate measures in place to manage their privacy and cyber security regulatory profile. As construction projects adopt more data analytics and web-connected Operational Technology (OT), of Industrial Internet of Things (IIoT), and automation, regulations governing data privacy and security notifications will be increasingly important to their regulatory risk profile. Construction organizations need to get ahead of the curve with better governance and data protection measures.

Industry insights

Energy, utilities & natural resources