Construction companies: mobile device risks and poor password hygiene

Construction teams rely on mobile phones and tablets for real-time site coordination, plan updates, time tracking and procurement. When these endpoints are unsecured or poor password habits persist, they are easy targets for attackers looking to exploit access and disrupt projects. 

Mobile devices: exposed endpoints on the move 

Smartphones and tablets are essential tools across construction sites. They often rely on public Wi-Fi, are shared between workers and often left unattended. Without the right safeguards, they are a backdoor into company systems for attackers. 

A regional construction firm was hit by a data breach after a foreman’s company-issued tablet was stolen from a vehicle. The device had saved login credentials for the firm’s cloud-based project management platform. Within 48 hours, attackers had used the device to access project files, change task assignments and exfiltrate internal documentation, including subcontractor payment details. 

Although access was eventually revoked, the breach led to delays across three active sites and a temporary halt on subcontractor payments while systems were reset and resecured. The total disruption lasted over two weeks, with significant financial and reputational costs. 

Mobile devices: security on the move 

To reduce the risk of data exposure from mobile devices, construction firms should adopt mobile-specific security controls, such as: 

• Mobile device management software that allows IT teams to remotely wipe lost or stolen devices, enforce strong access controls and restrict app usage.  
• Device encryption that requires a password. 
• Secure app usage through approved apps and secure portals. 

Weak passwords: easy entry for attackers 

Despite increased cyber awareness, weak and reused passwords are a persistent vulnerability. In construction, where teams use shared logins and default credentials for systems and equipment, poor password hygiene is a fast track to account compromise. 

A mechanical and electrical subcontractor suffered a system breach after an attacker gained access to their procurement portal using a default administrator password that had never been changed. The account had elevated privileges, allowing the attacker to download internal pricing schedules, alter orders and access past tender submissions linked to a major rail infrastructure project. 

The breach went unnoticed for over a week and was only flagged when a supplier questioned an unusual change in delivery location. An internal investigation revealed multiple shared accounts with simple, guessable passwords – some unchanged for years. The firm incurred costs for legal advice and system upgrades and had to withdraw from two pending tender opportunities to focus on recovery. 

Strong passwords: keeping attackers out 

To improve password security without disrupting day-to-day operations, construction companies should adopt robust controls, such as: 

• Enforcing strong password policies. 
• Password managers. 
• Multi-factor authentication. 

Help from the experts 

With the construction industry relying on digital connections, companies can significantly reduce the risk of cyber attacks by strengthening mobile security and access controls across their workforce. If your construction company is looking for cyber security advice, please get in touch for a no-obligation conversation.