A System-Based Proposal to Improve Cybersecurity in Construction Organisations

This study investigates the critical cybersecurity vulnerabilities in construction organizations that manage sensitive project data. The primary weakness identified was reliance on consumer-grade digital tools and single-factor authentication, which exposed the organization to phishing attacks, credential compromise, and unauthorized data access. Although prior research has highlighted the risks of digital transformation in the construction sector, a clear gap remains in the practical integration of unified cybersecurity platforms into operational workflows. A System Development Life Cycle (SDLC) methodology was adopted to evaluate existing security processes, identify system deficiencies, and define technical requirements. Based on this assessment, the study proposed the structured implementation of Microsoft 365 Business Premium as a centralized cybersecurity framework. Key components included AI-driven email threat protection via Defender for Office 365, secure cloud governance through OneDrive and SharePoint, and enforcement of multi-factor authentication. The findings indicate that transitioning from fragmented “Shadow IT” practices to an integrated enterprise-level security environment significantly reduces the likelihood of account compromise and enhances operational transparency. The study offers a scalable, practical framework for strengthening data protection and safeguarding decision-making integrity in construction organizations. Implementing enterprise-grade cybersecurity controls is essential to sustaining client trust and ensuring project continuity in an increasingly digital operating environment.

Cybersecurity, Construction Industry, Digital Transformation, Microsoft 365

1. Abdelhay, S., Draz, A. M. A., Tharwat, W. A. K., & Marie, A. (2024). The impact of using WhatsApp on the team's communication, employee performance and data confidentiality. International Journal of Data and Network Science, 8(2), 1307–1318. https://doi.org/10.5267/j.ijdns.2023.11.004 [Google Scholar] [Crossref]

2. Ali, T., Al-Khalidi, M., & Al-Zaidi, R. (2024). Information Security Risk Assessment Methods in Cloud Computing: Comprehensive Review. Journal of Computer Information Systems, 1–28. https://doi.org/10.1080/08874417.2024.2329985 [Google Scholar] [Crossref]

3. Alkhalil, Z., Hewage, C., Nawaf, L., & Khan, I. (2021). Phishing Attacks: A Recent Comprehensive Study and a New Anatomy. Frontiers in Computer Science, 3. https://doi.org/10.3389/fcomp.2021.563060 [Google Scholar] [Crossref]

4. Althobaiti, K., & Alsufyani, N. (2024). A review of organization-oriented phishing research. PeerJ Computer Science, 10, e2487. https://doi.org/10.7717/peerj-cs.2487 [Google Scholar] [Crossref]

5. BlueVoyant. (2026). Microsoft Defender for Office 365: Workflow, features, and plans. Microsoft Defender for Office 365. [Google Scholar] [Crossref]

6. Cybersecurity and Infrastructure Security Agency. (n.d.). Multifactor authentication. https://www.cisa.gov/topics/cybersecurity-best-practices/multifactor-authentication [Google Scholar] [Crossref]

7. Floyd, K. S. , & L. K. (2019). PERCEPTIONS OF CLOUD STORAGE PRIVACY AMONG UNIVERSITY STUDENTS. Issues In Information Systems. https://doi.org/10.48009/4_iis_2019_86-92 [Google Scholar] [Crossref]

8. González-Granadillo, G., González-Zarzosa, S., & Diaz, R. (2021). Security Information and Event Management (SIEM): Analysis, Trends, and Usage in Critical Infrastructures. Sensors (Basel, Switzerland), 21(14), 4759. https://doi.org/10.3390/s21144759 [Google Scholar] [Crossref]

9. Haag, S., & Eckhardt, A. (2024). Dealing effectively with Shadow IT by managing both cybersecurity and user needs. MIS Quarterly Executive, 23(4), 399–412. https://doi.org/10.17705/2msqe.00104 [Google Scholar] [Crossref]

10. International Organization for Standardization. (2018). ISO 19650-1:2018—Organization and digitization of information about buildings and civil engineering works, including building information modelling (BIM)—Information management using building information modelling—Part 1: Concepts and principles (Standard No. ISO 19650-1:2018). https://www.iso.org/standard/68078.html [Google Scholar] [Crossref]

11. International Organization for Standardization & International Electrotechnical Commission. (2022). ISO/IEC 27001:2022—Information security, cybersecurity and privacy protection—Information security management systems—Requirements (Standard No. ISO/IEC 27001:2022). https://www.iso.org/standard/27001 [Google Scholar] [Crossref]

12. Loh, P. K. K., Lee, A. Z. Y., & Balachandran, V. (2024). Towards a Hybrid Security Framework for Phishing Awareness Education and Defense. Future Internet, 16(3), 86. https://doi.org/10.3390/fi16030086 [Google Scholar] [Crossref]

13. McAlaney, J., & Hills, P. J. (2020). Understanding Phishing Email Processing and Perceived Trustworthiness Through Eye Tracking. Frontiers in Psychology, 11. https://doi.org/10.3389/fpsyg.2020.01756 [Google Scholar] [Crossref]

14. Meyer, L. A. , Romero, S., Bertoli, G., & Burt, T. (2023). How effective is multi-factor authentication at deterring cyberattacks? ArXiv Preprint. [Google Scholar] [Crossref]

15. Microsoft. (2025). (2026). Microsoft 365 for business security overview. Microsoft Learn. [Google Scholar] [Crossref]

16. Mostafa, A. M., Ezz, M., Elbashir, M. K., Alruily, M., Hamouda, E., Alsarhani, M., & Said, W. (2023). Strengthening Cloud Security: An Innovative Multi-Factor Multi-Layer Authentication Framework for Cloud User Authentication. Applied Sciences, 13(19), 10871. https://doi.org/10.3390/app131910871 [Google Scholar] [Crossref]

17. Naqvi, S. G., Nasir, T., Azam, H., & Zafar, L. (2023). Artificial Intelligence in Healthcare. Pakistan Journal of Humanities and Social Sciences, 11(2). https://doi.org/10.52131/pjhss.2023.1102.0443 [Google Scholar] [Crossref]

18. National Institute of Standards and Technology. (2024). The NIST Cybersecurity Framework (CSF) 2.0 (NIST CSWP 29). https://doi.org/10.6028/NIST.CSWP.29 [Google Scholar] [Crossref]

19. National Institute of Standards and Technology. (2025). Digital identity guidelines: Authentication and authenticator management (NIST Special Publication 800-63B-4). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63B-4.pdf [Google Scholar] [Crossref]

20. Pöhn, D., Gruschka, N., Ziegler, L., & Büttner, A. (2023). A framework for analyzing authentication risks in account networks. Computers & Security, 135, 103515. https://doi.org/10.1016/j.cose.2023.103515 [Google Scholar] [Crossref]

21. Raković, L., Sakal, , Marton, Matković, P., & Marić, M. (2020). Shadow IT – Systematic Literature Review. Information Technology and Control, 49(1), 144–160. https://doi.org/10.5755/j01.itc.49.1.23801 [Google Scholar] [Crossref]

22. Sonkor, M. S., & García de Soto, B. (2021). Operational Technology on Construction Sites: A Review from the Cybersecurity Perspective. Journal of Construction Engineering and Management, 147(12). https://doi.org/10.1061/(ASCE)CO.1943-7862.0002193 [Google Scholar] [Crossref]

23. Syed, A., Purushotham, K., & Shidaganti, G. (2020). Cloud Storage Security Risks, Practices and Measures: A Review. 2020 IEEE International Conference for Innovation in Technology (INOCON), 1–4. https://doi.org/10.1109/INOCON50539.2020.9298281 [Google Scholar] [Crossref]

24. Tanga, O., Akinradewo, O., Aigbavboa, C., & Thwala, D. (2022). Cyber attack risks to construction data management in the fourth industrial revolution era: a case of Gauteng province, South Africa. Journal of Information Technology in Construction, 27, 845–863. https://doi.org/10.36680/j.itcon.2022.041 [Google Scholar] [Crossref]

25. Turk, A., Wong, G., Mahtani, K. R., Maden, M., Hill, R., Ranson, E., Wallace, E., Krska, J., Mangin, D., Byng, R., Lasserson, D., & Reeve, J. (2022). Optimizing a person-centred approach to stopping medicines in older people with multimorbidity and polypharmacy using the DExTruS framework: a realist review. BMC Medicine, 20(1), 297. https://doi.org/10.1186/s12916-022-02475-1 [Google Scholar] [Crossref]

26. van Acken, J.-P., Gadellaa, J., Jansen, S., & Labunets, K. (2025). The Unknown Unknown: Cybersecurity Threats of Shadow it in Higher Education. https://doi.org/10.2139/ssrn.5340607 [Google Scholar] [Crossref]

27. Verizon. (2025). 2025 Data Breach Investigations Report: Executive summary. https://www.verizon.com/business/resources/reports/2025-dbir-executive-summary.pdf [Google Scholar] [Crossref]

28. Yao, D., & García de Soto, B. (2024a). Assessing cyber risks in construction projects: A machine learning-centric approach. Developments in the Built Environment, 20, 100570. https://doi.org/10.1016/j.dibe.2024.100570 [Google Scholar] [Crossref]

29. Yao, D., & García de Soto, B. (2024b). Cyber risk assessment framework for the construction industry using machine learning techniques. Buildings, 14(6), 1561. https://doi.org/10.3390/buildings14061561 [Google Scholar] [Crossref]

30. Yao, D., & García de Soto, B. (2024c). Enhancing cyber risk identification in the construction industry using language models. Automation in Construction, 165, 105565. https://doi.org/10.1016/j.autcon.2024.105565 [Google Scholar] [Crossref]

• The Indirect Effect of Liquidity and Activity on Company Value with Profitability as an Intervening Variable
• Effect of Financial Skills, Knowledge, and Attitude on The Financial Behaviour of Clergy
• A Decade of Review: Trends in Budget Execution and Financial Performance of Development Projects in Tanzania (2014/15-2023/24)
• The Influence of Pre-Project Planning on the Budget Absorption Rate of Public Funded Infrastructure Projects in Kenya a Comparative Case Study of Narok, Migori, and Kisii County Government Projects
• Assessment of Factors Influencing Digital Transformation in Hotels’ Facility Management in Abuja Metropolis, Nigeria