Three construction professionals wearing safety helmets stand on the upper floor of a building under construction, reviewing project plans together.

Security Awareness Training in Construction: Is Your Programme Built for the Right Threats?

Published on 14.07.20265 min read

Construction firms are among the most targeted organisations for ransomware, yet security awareness training is one of the hardest things to get right in the sector. Not because firms don't care, or the technology isn't available. Most security awareness training is built around generic corporate phishing scenarios rather than the supplier, contractor, and project communications construction teams deal with every day.

Construction and engineering ranked as the most impacted sector for ransomware in September 2025, accounting for 11.4% of all victims[1]. Ransomware attacks against the sector grew 41% between 2023 and 2024[2].

The average ransomware incident now results in 24 days of downtime[3], and 77% of construction organisations say they cannot tolerate more than five days without access to project documentation before severe operational impact sets in[4]. The pressure to restore systems quickly is exactly what attackers rely on.

How Supply Chains Create the Risk

Construction organisations operate with complex, multi-tier supply chains. Subcontractors, specialist consultants, equipment suppliers, and project partners all communicate through the same inboxes, often urgently, about deliveries, change orders, invoice approvals, and project updates. That volume of routine external communication is exactly the environment phishing campaigns are designed to exploit.

Construction teams coordinate constantly with external organisations. Purchase orders, delivery notifications, invoice approvals, contractor queries, and project updates arrive throughout the day, often requiring quick decisions. The challenge isn't recognising phishing emails in isolation. It's distinguishing malicious messages from hundreds of legitimate communications that look almost identical.

Attacks targeting construction firms frequently impersonate familiar suppliers or project partners, constructing messages that mirror the pace and format of genuine operational communications. A convincing invoice request from what appears to be a trusted contractor, or a delivery update requiring urgent action, can bypass the instincts of employees who would otherwise be suspicious.

When the expectation is that things move fast, the instinct to pause and verify weakens.

This supply chain exposure is compounded by the distributed nature of construction work. Employees access drawings, project documentation, and communications from multiple sites, while subcontractors and external partners, who may have very different security practices, often share access to the same systems and project data.

Why Generic Training Misses the Mark in Construction

Most awareness platforms send the same phishing simulation to everyone. A site manager coordinating deliveries, a finance team member processing supplier invoices, and a procurement lead handling contractor bids all receive the same generic template, even though they face meaningfully different threats.

That mismatch matters because the most convincing attacks are the ones that look like normal work. A simulation built around a corporate IT helpdesk request tells a site manager very little about the supplier impersonation attempt they are likely to receive. Training that doesn't reflect the specific communications employees handle in their role is training for a threat they are unlikely to face, while leaving them unprepared for the ones they will.

In conversations with IT managers across the sector, awareness training is frequently described as generic, infrequent, and difficult to sustain. The firms that run phishing simulations manually report spending disproportionate time on setup and follow-up relative to the outcome.

Annual modules tick a compliance box and are largely forgotten. The result is a workforce that receives training in name, but is not genuinely better prepared.

The Administration Problem for Construction IT Teams

Construction IT teams are typically small and stretched across infrastructure, device management, and support across multiple sites. Building, running, and maintaining a security awareness programme on top of that, managing campaigns, segmenting users, chasing non-completers, generating reports, is rarely sustainable in practice.

The instinct many IT managers in the sector describe is to concentrate resource on backup and recovery. If a breach occurs, the priority is restoring operations. That is a rational response to limited capacity. But with ransomware downtime in construction now averaging 24 days, well beyond what most projects can absorb, prevention that runs without adding to the IT workload is a more effective use of the same resource[5].

A Different Approach to Security Awareness in Construction

Practice from Pistachio delivers security awareness training that changes employee behaviour. Rather than relying on generic corporate phishing templates, Practice is designed to reflect the supplier, contractor, and project communications construction teams deal with every day. It integrates natively with Microsoft and deploys in under 10 minutes, with phishing simulations and training scenarios running automatically from there:

  • Role-specific scenarios. Simulations reflect the supplier impersonation, invoice fraud, and project-related social engineering attacks construction teams face, tailored by role rather than sent generically to everyone.

  • Adaptive difficulty. Training adjusts automatically based on individual performance, so every employee is challenged at the right level without manual segmentation.

  • No ongoing administration. No campaigns to build, no non-completers to chase, no templates to maintain. The programme runs continuously without consuming IT resource to sustain it.

  • Reporting built in. Compliance documentation for government contracts and regulatory requirements is available on demand.

Most firms are fully deployed in under 10 minutes using Microsoft Entra, with phishing simulations and training running automatically from then on.

Construction does not have a cybersecurity awareness problem. It has a training relevance problem. Employees are being trained to spot phishing attacks they are unlikely to receive, while the attacks they are likely to receive go largely unaddressed.

As supply chains become more connected and attacks more targeted, the firms that improve their resilience will not be those that run more training. They will be the ones running the right training.

See how Practice fits the realities of construction. Email contact@pistachioapp.com to book your 15-minute demo.

Anyone can fall for a phishing scam.

That’s the point of Pistachio’s approach to hands-on learning over snooze-worthy training videos.

Activity overview of user