Protecting a 12% Profit Margin in the Construction Industry Through a Security Audit
Modern construction runs on data. Digital document workflows, BIM models, and ERP systems form the operational backbone of every construction project. For a large construction company, losing access to these resources means real financial losses and project delays.
Achieved results
Protecting a 12% Profit Margin
ISO 27001 Readiness
Mitigating the threat of disrupting operational continuity
IT quality monitoring
Construction Industry Specifics and IT Risk
In the construction sector, business continuity depends on the stability of systems operating across highly distributed environments. Organizations must ensure secure, uninterrupted access to data for engineers working on construction sites—often using temporary network connections—as well as external partners and design offices.
Despite modern technologies investments, the client lacked a cohesive cybersecurity strategy. Rapid business growth had outpaced the evolution of security procedures, creating a situation in which critical business assets appeared to be protected but were, in reality, exposed.
Parts of the infrastructure were directly accessible from the public internet, enabling login attempts to administrative panels from anywhere in the world. Combined with weak password management practices and active accounts belonging to former employees, these systems faced a significant risk of unauthorized access.
Strategic Objectives and the Need for an Independent Assessment
As part of preparations for ISO certification, the management team defined two strategic objectives:
Strengthening Operational Resilience
Designing and implementing safeguards that would ensure business continuity and data protection regardless of external incidents.
Independent Validation of Processes and Competencies
Conducting an objective assessment of security procedures and internal team capabilities by engaging external experts. The goal was to obtain an unbiased view of the organization’s security posture before entering the certification process.
From Strategy to Action: Assessing Organizational Resilience
To provide a clear picture of the situation and prepare the organization for ISO 27001 requirements, GoNextStage experts analyzed 4 key areas. This approach enabled the company’s security posture to be evaluated at every level—from documentation to technical configurations.
Policy and Documentation Review
The engagement began with a policy and documentation review. GoNextStage experts analyzed existing security policies and procedures in order to verify whether security standards—such as password requirements and incident reporting practices—were actually being followed across the organization.
Technical Verification
The next phase focused on technical verification, comparing documented procedures with actual configurations across systems, networks, and the cloud environment. This stage uncovered vulnerabilities that posed direct threats to business continuity in the following areas:
- Identity and Access Management (IAM):
The audit revealed significant weaknesses in access and identity management. Dormant user accounts were identified, creating opportunities for privilege escalation if compromised.
Outdated IAM policies remained in place despite no longer reflecting actual systems or processes. Effective controls governing access provisioning and maintenance were lacking, and many resources had no designated owners responsible for approving access requests.
Given the size of the environment and the number of users, these weaknesses represented a substantial security risk. - Insufficient Endpoint Protection (EDR)
Nearly half of the engineers’ workstations and servers lacked modern enterprise-grade endpoint detection and response (EDR) capabilities. If the event of a ransomware attack originating from a laptop used on a construction site occured, malware could have spread throughout the organization undetected until critical data was fully encrypted and inaccessible. - Technology Debt and End-of-Life Systems (EOL)
The assessment identified legacy operating systems, including Windows Server 2012, which were no longer receiving security updates from the vendor. Such systems are vulnerable to automated attacks that can compromise servers without requiring password theft, creating a direct threat to ERP systems, databases, and other critical business applications. - Critical Cloud Security Misconfigurations
Administrative access ports (RDP and SSH) in the Microsoft Azure environment were exposed directly to the public internet.
Without proper restrictions enforced through Network Security Groups, the environment was vulnerable to brute-force attacks. This configuration allowed automated threat actors to continuously target cloud resources, increasing the risk of project data exposure and unauthorized cloud-related costs.
Findings and Final Report
The audit concluded with a comprehensive assessment and final report. GoNextStage delivered detailed documentation of all identified vulnerabilities, prioritized by severity—from critical to low-risk findings. Each issue was mapped to its potential business impact and accompanied by recommended remediation actions, creating a practical roadmap toward ISO certification.
Protecting a 12% Profit Margin by Eliminating Ransomware Risk
The audit uncovered vulnerabilities that could have allowed attackers to compromise engineers’ workstations and gain access to critical corporate systems, including ERP platforms, project documentation repositories, and construction planning tools.
As a result, a successful ransomware attack could have disrupted systems essential for managing construction projects and contract settlements. By implementing the recommended corrective actions, the organization eliminated these vulnerabilities, avoiding potential project downtime, contractual penalties, and costly IT recovery efforts. All in all, the company was able to protect up to 12% of its operating margin.
Business Outcomes
Identifying these risks enabled the company to move from a reactive approach to proactive security management. The vulnerabilities identified by GoNextStage Team evolved from theoretical concerns into actionable priorities, driving both technical and process improvements.
Key Business Benefits