Our site offices have rough internet. Are we stuck?

Usually not. We've put resilient connections onto temporary sites for years: enterprise NBN where fibre is reachable, 4G/5G failover in a managed router where it isn't, SD-WAN where multiple sites need to meet in the middle. The trick isn't one big link, it's a managed router on the right SLA that fails over sensibly when the primary link drops.

Subbies need access to our project files but they shouldn't see the whole business. How?

External sharing in SharePoint, per-project, with access that expires automatically on completion. Guest accounts governed by identity rules, not shared logins or shared drives. We set it up correctly once and the pattern scales as projects come and go.

Our estimating laptops are out of warranty and slow. Is that a security issue?

Can be. End-of-support operating systems stop receiving security patches, which means the controls that depend on patch cycles start failing silently. We track asset lifecycle as part of the Security & Tech Review: you'll get a written recommendation of what to replace, when, and why, not a blanket refresh cycle.

A head contractor sent us a security questionnaire as a condition of the tender. Can you help?

Yes. We've filled in enough of these for construction and engineering firms to know which questions are load-bearing. Typically the asks are MFA, EDR, patching, backup, offboarding and cyber insurance. We answer with evidence and, where the answer is "not yet," give you a plan the head contractor will accept.

Industry · Construction & engineering

IT and cybersecurity that moves with the job.

Site offices that appear and disappear, subbies who need project access but nothing else, estimating and project platforms that each want their own identity, and head contractors who are now pushing security clauses into every subcontract. It's a lot. It's also exactly the kind of problem we like.

What's actually different in construction & engineering

Construction IT is logistics, not product selection.

Most construction and engineering businesses we work with aren't short on technology. They're short on someone who sequences the technology against the rhythm of actual work. A site stands up, runs for six months, comes down. A subbie joins for two weeks. A partner needs access to a shared BIM model but nothing else. A laptop gets stolen off the back of a ute. None of that is exotic; all of it needs a pattern, not an improvisation.

The other pattern we see: security questionnaires from head contractors landing in the procurement inbox a week before tender close. The questions are standardised enough that a prepared business answers in a morning. An unprepared one spends a fortnight discovering the gaps, and either loses the tender or ticks "yes" on things that later turn up in a post-incident review. We prepare clients so the answer is ready before the questionnaire arrives.

On connectivity: site offices don't need heroic infrastructure. They need a managed router, a sensible primary and failover, and someone who actually monitors uptime. Boring. Which is the point.

Live right now · construction & engineering

The 2026 pressure points we're actively working on with clients.

The specific asks, deadlines and enforcement actions shaping 2026 conversations in your sector.

Head-contractor security clauses are now standard

The big head contractors (Lendlease, Multiplex, CPB, John Holland and the rest) are now asking subcontractors for MFA, EDR, patching cadence, staff training and Essential Eight self-attestation before onboarding to their project platforms (Procore, Aconex, Autodesk Construction Cloud). This isn't regulation, it's tender eligibility. Answering honestly matters: the contract auditors do check, and an "over-answered" questionnaire tends to surface after an incident.

Modern Slavery Act cascade reaches the subbie layer

The federal government's December 2024 response to the Modern Slavery Act review agreed in principle to civil penalties for non-compliant reporting entities. The $100M turnover threshold stays, but reporters are now pushing supplier-level attestations further down the chain. If you're a subcontractor to a reporter, expect to see attestations in procurement packages.

Mandatory ransomware payment reporting, 72 hours

Under the Cyber Security Act, businesses with turnover above $3M must report ransomware payments to ASD within 72 hours (commenced 30 May 2025). Most mid-size builders and engineering firms sit above that threshold and need a documented IR plan with the reporting clock built in.

Frameworks that turn up in the room

Industry frameworks, regulations and audit standards for construction & engineering in Australia.

WHS record retention: State-based Work Health and Safety regulations impose retention on incident records, SWMS, training records, and hazard registers. Most run 5 to 30 years. Losing them in a ransomware incident isn't a technical problem, it's a regulatory one.
Privacy Act 1988 + APPs: Any contractor, employee, or subcontractor personal data is covered. Larger builders often sit above the $3M-turnover threshold and inherit the full APP obligations including Notifiable Data Breaches.
Head-contractor security clauses: Head contractors increasingly push IT security clauses into subcontractor agreements: MFA, encrypted document transfer, security-questionnaire completion. Essential Eight ML1 self-attestation is becoming the minimum ask from most. We prepare the answers with evidence so your next tender response takes a morning, not a fortnight.
ACSC Essential Eight: The baseline insurers and larger clients reference. See /essential-eight for how we move construction businesses through the maturity model without stopping the jobs.
Industry-specific tooling compliance: Estimating, project management and finance platforms (Procore, Aconex, Jobpac, Cheops, BuildSoft, Databuild, etc.) each have their own identity, access and audit posture. We integrate them into central identity and offboard properly when a project ends.

Common questions

The things construction & engineering clients ask us first.

Our site offices have rough internet. Are we stuck?: Usually not. We've put resilient connections onto temporary sites for years: enterprise NBN where fibre is reachable, 4G/5G failover in a managed router where it isn't, SD-WAN where multiple sites need to meet in the middle. The trick isn't one big link, it's a managed router on the right SLA that fails over sensibly when the primary link drops.
Subbies need access to our project files but they shouldn't see the whole business. How?: External sharing in SharePoint, per-project, with access that expires automatically on completion. Guest accounts governed by identity rules, not shared logins or shared drives. We set it up correctly once and the pattern scales as projects come and go.
Our estimating laptops are out of warranty and slow. Is that a security issue?: Can be. End-of-support operating systems stop receiving security patches, which means the controls that depend on patch cycles start failing silently. We track asset lifecycle as part of the Security & Tech Review: you'll get a written recommendation of what to replace, when, and why, not a blanket refresh cycle.
A head contractor sent us a security questionnaire as a condition of the tender. Can you help?: Yes. We've filled in enough of these for construction and engineering firms to know which questions are load-bearing. Typically the asks are MFA, EDR, patching, backup, offboarding and cyber insurance. We answer with evidence and, where the answer is "not yet," give you a plan the head contractor will accept.

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.