Cybersecurity for Louisiana Construction Companies

Construction has quietly become one of the most heavily targeted industries for cyber attacks, and Louisiana construction firms are no exception. We've worked with general contractors, subcontractors, MEPs, and specialty trades across the state — from Capitol-area infrastructure work to job sites along the Northshore — and the threat patterns repeat with depressing regularity.

Here's what we see, and what to do about it.

Why construction is a target

Construction firms are attractive to attackers for a specific combination of reasons:

• Large dollar transactions. Construction projects move significant money. A successful wire fraud against a construction firm can net six or seven figures — orders of magnitude more than a typical phishing payout.
• Predictable invoicing cycles. Payment applications, draws, retainage releases — attackers learn the rhythm and time their attacks accordingly.
• Distributed workforce. Field staff, project managers, and office staff use different devices in different network environments. The attack surface is much larger than a single-office business.
• Email-heavy workflows. Change orders, RFI responses, contract amendments — almost everything happens over email. Email is the attacker's preferred entry point.
• Less mature cybersecurity posture. Most construction firms invest heavily in operations and equipment. Cybersecurity often gets a tiny share of the budget.

The three attack patterns that hit construction most

1. Business email compromise (BEC) and wire fraud

The classic: attacker compromises an email account at your firm (often through a phishing email and password reuse), watches your inbox for a week to learn how billing works, then waits for a moment when a payment is about to go out. They intercept the invoice email, change the wire instructions to their account, and forward it on to the AP person. Six-figure transfer, gone in minutes.

Louisiana construction firms have lost millions to this pattern over the past five years. The frustrating part: it's almost completely preventable with three controls — MFA on every email account, an out-of-band confirmation requirement for any wire instruction change, and email filtering that flags external lookalike domains.

2. Ransomware

Less subtle: attacker gets into your file server (often through an exposed remote desktop service, an unpatched VPN appliance, or a phished credential), encrypts everything, and demands a ransom for the decryption key. For a construction firm, the file server typically holds project drawings, contracts, photos, schedules, financial records, and bid history. Losing access for a week is operationally catastrophic.

The defenses here are well-established: keep VPN and firewall firmware current, eliminate exposed RDP, deploy EDR (endpoint detection and response), enforce MFA on every external-facing system, and maintain backups with immutable storage so even if attackers get domain admin they can't delete the backups.

3. Job-site Wi-Fi compromise

The newest pattern: job sites typically have some form of Wi-Fi for field tablets, video surveillance, and ProCore access. These networks are often consumer-grade gear with default credentials, deployed quickly, and rarely audited. An attacker who can get physically close to a job site can compromise the network and use it as a pivot into your office systems if the field network isn't segmented.

Fix: every job-site network should run on business-grade firewall + access points (Fortinet, Sophos, Cisco Meraki), be segmented from the office network, and route all traffic through your firewall. Field devices should authenticate against your central identity provider (Entra ID), not local accounts.

The minimum viable cybersecurity stack for a construction firm

If you're a Louisiana construction firm with 20–200 people, here's what we'd insist on:

1. MFA on everything. Email, VPN, payroll, accounting, ProCore, Sage, anything cloud-based. No exceptions for the owner. Yes, the owner.
2. Endpoint detection and response (EDR) on every computer. SentinelOne, CrowdStrike, Sophos Intercept X, or similar. Not consumer antivirus.
3. Advanced email security. Microsoft Defender for Office 365 P2, Mimecast, or Proofpoint. Filters phishing, lookalike domains, malicious links, and attachments.
4. Security awareness training with simulated phishing. KnowBe4, Hoxhunt, or similar. Quarterly minimum. Your AP person is the most attacked person in your firm; train accordingly.
5. Backup with immutable storage off-site. Datto, Veeam with hardened repository, or equivalent. Encrypted, retained 30+ days, tested monthly.
6. Managed firewall at each office and job site, with quarterly rule reviews. Read more about our managed firewall services.
7. Wire fraud prevention protocol. Written. Includes: "any change to wire instructions requires a verbal call-back to a known phone number, not the number in the email." Get it signed by AP, finance, and project management.
8. Cyber liability insurance. $1M+ minimum. Read the policy carefully — many policies exclude losses from wire fraud unless you have specific controls in place.

What about the field?

Field staff are often the most cybersecurity-vulnerable users in a construction firm, because:

• They use mobile devices on untrusted networks
• They get phished through SMS as well as email
• They typically have less cybersecurity training than office staff
• They share devices and credentials more often

Practical controls: enforce MFA via the Microsoft Authenticator app, deploy mobile device management (MDM — Microsoft Intune is included with most business M365 plans), and run security awareness training that includes SMS phishing scenarios.

Local context: where we see Louisiana construction firms get hit

Three patterns specific to the Gulf region:

1. Hurricane-season urgency exploitation. Attackers use storm season to send urgent "we need to wire funds for emergency materials" messages, exploiting the legitimate urgency real storms create.
2. State and federal project payment fraud. Firms doing LA DOTD or Army Corps work see targeted attacks attempting to redirect government payments. The dollar amounts justify a much higher level of attacker investment.
3. Equipment-financing fraud. Attackers send fake invoices that look like equipment lease payments. Construction firms are used to seeing equipment-lease invoices monthly, so the pattern doesn't trigger suspicion.