Cloud storage and software security vulnerabilities in construction

Cloud storage and outdated or unsupported software threats often go unnoticed in the day-to day operations of construction companies. They result from convenience-driven workarounds, such as sharing files via personal email and delaying upgrades to avoid project disruption. However, these actions can lead to regulatory breaches, security vulnerabilities and operational downtime. 

Here, we explore the reasons behind their severe impact and outline proactive measures you can implement to guard against them. 

Cloud misconfigurations: convenience without configuration can be costly 

Cloud services are indispensable to modern construction operations. Platforms like SharePoint, OneDrive and Google Workspace are essential for managing drawings, contracts, schedules and communications across internal teams, subcontractors, consultants and clients. But while these tools offer powerful features, they also introduce risk – particularly when they are not properly configured. 

A cloud system that’s fast and flexible can just as easily become a weak link in your cyber security chain if security settings are left at their defaults, access controls are too permissive, or visibility of shared content is limited. 

At a mid-sized UK infrastructure contractor, a site manager uploaded updated project timelines and design files to a SharePoint folder meant for internal use. Unfortunately, the folder had inherited sharing permissions from a broader department-level directory, giving unintended access to over 200 users across different regions, including a former consultant who still had login credentials. 

The unscrupulous consultant, now working for a competitor, accessed the files and shared details of project cost estimates and programme sequencing. The competitor used this intelligence in a rival tender submission, prompting legal challenges and significant reputational damage. 

An internal review found that the contractor had no process for reviewing or managing inherited access permissions in its cloud systems. No one had been made responsible for auditing shared folders or tracking which external users had access to active project sites. 

Cloud storage with security 

Construction companies can take straightforward measures to reduce this kind of risk, including: 

• Securing file-sharing platforms with access controls to manage who can view or download documents. 
• Accessing logging and permissions to limit sensitive documents to specific roles or time-limited windows. 
• Increasing data classification and policy awareness so staff identify what data is sensitive and how it should be handled. 

Unpatched software: small delays, serious consequences 

Software patching often invisible, background work that’s easy to postpone – especially when systems appear to be running smoothly. But in today’s cyber threat landscape, failing to apply patches promptly can expose your construction business to avoidable risk. 

From estimation software to site scheduling tools, many construction systems rely on a mix of desktop apps, cloud services and integrations. Without regular updates, these systems become soft targets for attackers looking to exploit known vulnerabilities. 

A UK infrastructure consultancy suffered a serious breach after failing to apply a security patch to its project planning software. The patch had been issued by the vendor nearly four months earlier to address a critical vulnerability. However, the consultancy hadn’t applied the patch due to ongoing project pressures and a concern that it might cause temporary compatibility issues. 

An attacker exploited the unpatched weakness to gain administrative access, install malware and extract sensitive user credentials. They accessed archived bid documents, budget estimates and stakeholder communications related to publicly funded infrastructure projects. 

The breach led to an immediate review by several government clients, the loss of future framework bid opportunities and a multi-week period of internal system recovery. Teams across planning, procurement and design were forced into manual workarounds while new servers were built. The overall impact – financial, reputational, and operational – was enormous. 

Maintaining software security 

Construction companies can take the following steps to secure their software: 

• Keep a software inventory of all desktop and cloud-based software across your company and set reminders for upgrade or renewal cycles. 
• Use automatic patch management tools to check for missing updates and install critical patches centrally. 
• Prioritise patch updates that fix known vulnerabilities actively being exploited, particularly for software connected to the internet or used in file sharing and project collaboration. 

Help from the experts 

Cloud platforms are powerful collaboration tools but need sensible defaults, clear policies and light-touch user training. Similarly, staying up to date with patches is one of the simplest and most cost-effective ways to defend your data, projects and client trust. 

If your firm is unsure whether its software environment or data-sharing practices meet modern security expectations, we’re here to help. For practical, tailored support from a cyber security team that understands the construction sector, contact us.