Construction & Infrastructure
Construction gets scammed more often than it gets hacked
Security support for NZ construction and infrastructure firms — written for the progress-claim redirect, the subbie access pile-up, and the client questionnaire that's now on every tender.
Sector Reality
The question a customer or insurer asks before the deal
It rarely starts with a breach. It starts with a progress-claim email the accounts team can't verify
Waiting costs more when the project is live. A head contractor question becomes a withheld progress claim. An insurer renewal becomes an exclusion on subcontractor work. A principal's security questionnaire becomes a missed tender. Each one takes longer to answer than the original question would have taken to pre-empt
Common Pressure Points
Where the questions cluster before the deal lands
Where the bid team, the accounts team, and the site office all get the same question from different buyers
The bank-change email came in at 8:12pm. The money went out at 9:15am
Invoice-redirect fraud is the single most expensive hour a construction firm can have, and retentions are the worst case — they land months after the main work, the sender is rarely double-checked, and the amount is 5-10% of a large contract. The email looked right. The change request looked routine. By the time someone asked 'wait, did anyone actually confirm that?', the money was already in a mule account — and getting it back is rarely possible.
Every new subbie gets a login. What happens to it when the job wraps up?
A live project can pull thirty trade logins, fifteen consultant logins, and a handful of supplier accounts. The project managers who grant them are rarely the ones who remove them. Most firms can't tell you today how many active logins still belong to people who finished work six months ago.
The principal wants your H&S plan. Now they want your security plan too
Major clients and government agencies used to ask about your health-and-safety paperwork. Now they ask how you manage project data, who has access to the plans, and what happens if a laptop walks off site. Without a written answer, the tender doesn't get shortlisted — and no one tells you why.
Every job builds a new data sprawl. Every job ends without clearing it
Plans, pricing schedules, retention schedules, subcontractor contact details, client briefs — sitting across cloud folders, email attachments, one project manager's laptop, and three different project-management tools. When the job closes, none of it gets cleaned up. It just stays, ageing — until a competitor bids against you with pricing they shouldn't have, or a former subbie pulls it up months later to dispute a retention claim.
Standards That Apply
The evidence that ends the questionnaire loop
Common obligations and buyer expectations
Relevant Services
First month: baseline, ownership, and one piece of evidence
The first month: a live subcontractor access register, a tested invoice-verification flow, and one piece of evidence the head contractor can't bounce
Stop Guessing When A Buyer Asks How Secure You Are
See where the business is exposed, what matters first, and what should be fixed before the next review, buyer question, or renewal lands.
Track The Suppliers That Could Expose The Business
Track supplier security risk in one place so onboarding, renewals, and exceptions stop living in scattered emails and spreadsheets.
Run The First Hour Of An Incident Without Winging It
Give the team a usable response plan for the incidents most likely to hurt the business, before the first real incident hits.
Stop Maintaining Policies Nobody Actually Reads
Put the policies the business actually needs in place, keep them current, and stop policy work turning into an annual scramble.
Pass The Insurance Renewal Without A Three-Week Scramble
Prepare the business for cyber-insurance applications and renewals with clearer control evidence, cleaner questionnaire answers, and fewer surprises from underwriters.
Make Awareness Change What Staff Actually Do
Turn awareness from annual box-ticking into staff behaviours that reduce the risks most likely to cost the business money, time, or trust.
Questions We Hear
The questions every discovery call opens with
We're a construction company — can we afford dedicated security support? +
NZ construction firm ACK Contractors lost $668,000 in a single invoice-fraud attack. Construction firms are top targets because payments are high-value and approval chains are long. Support starts from $1,750 a month — less than the excess on most cyber insurance policies, and a fraction of a single invoice-fraud loss.
Our IT provider handles our security — isn't that enough? +
Your IT provider keeps your systems running across sites and offices. But subcontractor access, project data, mobile workforce policies, and critical infrastructure expectations sit outside what IT is hired to do. When a subbie's compromised login hits your project management system, the response needs someone who has already decided what matters — not just a password reset.
We haven't had a cyber incident — why invest now? +
Invoice-redirect fraud in Australia hit $152.6 million in FY2024, up 66% year-on-year, with construction among the most targeted sectors. Attackers target construction because payments are high-value, subcontractor chains are long, and approvals move fast. Most firms don't act because they've been breached — they act because a customer now requires it, or because a near-miss made it real. Government and infrastructure clients increasingly want to see evidence before awarding contracts.
We work with dozens of subcontractors — how does this help manage that risk? +
Subcontractor risk is one of the first things we help construction firms tighten. We build a vendor register that captures who has access to what, write simple onboarding and offboarding steps your team can actually follow, and set a minimum security standard for third parties touching your systems. Less exposure, no site delays.
What Usually Happens Next
Tighten the control where the money is, without slowing the job
If an invoice-redirect scare, a messy subbie handover, or a principal's security questionnaire is already in the room, we'll help you decide what gets locked down first — without pretending site work can stop for a day of paperwork.