

URL: technolene.com/blog/cyberrodent
Nobody designs or builds a building expecting a rodent to walk in through the front door. Pests find the gap around a pipe, the spot where the flashing wasn’t quite sealed, the door left slightly open by a subcontractor at the end of the day. By the time you hear the scratching in the ceiling, they’ve been inside for weeks.
Cybercriminals, like rats, work the same way. They don’t break through the front door of your network. They look for the unsealed joint, that gap between the pipe and penetration opening.
The AEC Industry’s Specific Exposure
Architecture, engineering, construction, and manufacturing firms operate with a particular kind of openness. The openness that comes from sharing files constantly — CAD drawings, BIM models, RFIs, contracts, change orders — with an extended network of subcontractors, vendors, consultants, and clients. That collaboration is what makes the work happen. It’s also what makes your business attractive to attackers.
In 2024, the construction sector topped the list of spearphishing victim industries among all sectors measured by threat researchers — averaging 1.65 targeted phishing attacks per employee. [1] That’s not because attackers have a particular dislike of the building trades. It’s because the supply chain gives them so many possible openings.
The Unsealed Joint
Every business has one. Old software still running on a workstation because “we still use that for one thing.” A vendor portal with a password that hasn’t changed since the project manager left. A subcontractor who had access to a shared project folder and still does — even though that project closed eight months ago.
Attackers don’t need to defeat sophisticated security. They need one unsealed joint, one account. Once they’re in, they move quietly — exploring what’s accessible, setting up persistence, watching before they act.
Rapid7’s analysis of the building and construction sector threat landscape found that attackers frequently purchase pre-obtained credentials from dark web markets — meaning they often enter a network using login information that was already stolen and sold before anyone at the business was even aware. [2] Just like the rats, they don’t announce the infestation. They don’t put a sign on the door.
The warning is almost always there. The question is whether anyone catches it.
What They’re Actually After
Most small firms assume they’re not worth targeting — that cybercriminals go after banks, not a 30-person engineering practice. That’s not how the math works.
A BIM model isn’t just a design file. It contains structural layouts, mechanical routing, access point locations, and client site details. Stealing that data from an AEC firm can be more valuable — and far easier — than attacking the building owner directly. For firms working on public infrastructure, the stakes are even higher.
There’s also the financial angle. Construction projects involve large sums of money changing hands under deadline pressure. Vendor email compromise attacks — where an attacker controls or spoofs a supplier’s email to redirect payments — rose 66% in the first half of 2024. The FBI has identified business email compromise (BEC) as responsible for over $55 billion in losses globally over the past decade. [3] An invoice that looks exactly like all the others arrives. A payment change request comes from a vendor you recognize. By the time someone checks, the transfer is done the money is gone.
The Subcontractor Hatch
Attackers understand how AEC projects are structured. They know you work with dozens of partners, that new subcontractors come on mid-project, and that your team is accustomed to receiving invoices, drawings, and contract attachments by email — often under deadline pressure. That workflow is exactly what they exploit.
“Updated structural drawings attached.” “Revised invoice per your request.” “Please confirm the bank details for next payment.” None of these are unusual communications in a construction workflow. They’re Tuesday.
The 2025 Verizon Data Breach Investigations Report found that third-party involvement in breaches doubled to 30% of all incidents, up from 15% the prior year. [4] That’s not a coincidence — it reflects how effectively attackers exploit supply chains in industries like construction and manufacturing, where vendor relationships are numerous and trust is often high.
The Cost of Inaction
The same Verizon report found that ransomware appeared in 88% of small and mid-sized business breach incidents in 2025, compared to just 39% at large organizations. [4] SMBs aren’t targeted less frequently. They’re targeted more, with fewer resources to respond when something goes wrong.
For a firm where project continuity depends on access to current files, a ransomware incident isn’t just a recovery cost. It’s a missed deadline. It’s a subcontractor who can’t get the revised drawings. It’s a client who finds out their project data was exposed.
A locked door doesn’t help much if someone already has a key.

Where to Start
None of this requires a major security overhaul. The most impactful first steps for a business in the 20 – 50 size range are also the most straightforward.
Review who has access to what — and revoke it when a project ends or a vendor relationship changes. Enable multi-factor authentication on email and any project portal your firm uses, not just your bank account. Establish a habit of verbal confirmation before processing any wire transfer or payment change (review your SOP’s) that arrives by email. And make sure your staff knows what a suspicious attachment looks like (cyber training) – and has somewhere to report it.
These aren’t exotic interventions. They’re the digital equivalent of checking that the back door is closed and locked.
If you’d like a clear picture of where your firm’s actual exposure sits, Technolene works with AEC and manufacturing companies to review current security posture — without pressure and without jargon. Just an honest look at what’s there and what’s not.
→ Reach out at technolene.com/contact to schedule a conversation.
References
[1] CybelAngel / ReliaQuest. “Why the Construction Industry is Targeted by Cybercriminals.” cybelangel.com/blog/cyberattacks-in-the-construction-industry/
[2] Rapid7. “Threat Landscape of the Building and Construction Sector.” rapid7.com/blog/post/tr-building-construction-sector-threat-landscape-initial-access-supply-chain-iot/
[3] FBI Internet Crime Complaint Center. “Business Email Compromise: The $55 Billion Scam.” ic3.gov/PSA/2024/PSA240911
[4] Verizon. “2025 Data Breach Investigations Report.” verizon.com/business/resources/reports/2025-dbir-data-breach-investigations-report.pdf
