National General Contractor’s Multi-Site Projects Stall After Ransomware Leverages Unmanaged Field Tablets

The Challenge

Stonebridge Build Group, a national general contractor headquartered in Alberta with active projects across Canada, suffered cascading project delays when a ransomware variant propagated from unmanaged tablets used by subcontractors in the field. Privileged design files, vendor payment schedules, and RFIs synced over flat networks with shared credentials. Absence of a formal cyber governance model—no defined accountability for patching, weak change control on project IT/OT, and inconsistent third-party onboarding—allowed the malware to traverse jobsite trailers, cloud document repositories, and a centralized ERP instance. Payment applications were suspended, lien releases were delayed, and two public-infrastructure projects triggered liquidated damages. Estimated impact exceeded $3.5 million including penalties, rework, and overtime.

The firm could not evidence due diligence to carriers or clients: policy documentation was fragmented, vendor security attestations were outdated, and incident response playbooks did not address field operations. Questions from owners and regulators under the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec’s Law 25 went unanswered for days, escalating reputational risk and threatening surety relationships.

Our Solution

Our team was engaged to strengthen Stonebridge’s governance structure and close systemic compliance gaps. We began with a comprehensive maturity assessment aligned to ISO/IEC 27001 and the NIST Cybersecurity Framework, focusing on jobsite operations, cloud collaboration tools, and project management workflows. Based on this assessment, a Cyber Governance Charter was introduced and ratified by the executive team, clearly defining accountability across IT, Operations, and Project Management.

We established a cross-functional Risk and Compliance Committee to oversee policy development, exception management, and regular reviews. New policies were issued for mobile device management, privileged access, incident response, and third-party due diligence. A centralized risk register linked directly to client and insurer requirements provided audit-ready evidence of control effectiveness. To embed these changes, targeted executive and field training sessions were delivered, covering privacy laws (PIPEDA and Law 25), contractual cyber obligations, and resilience practices specific to construction environments.

The Value

Within 90 days of the program launch, Stonebridge restored insurer confidence and resumed delayed public infrastructure projects. The organization achieved a 60% reduction in high-risk findings following remediation, with all unmanaged field devices brought under secure MDM control. Network segmentation across jobsites reduced lateral movement risks during follow-up testing, and executive reporting improved through quarterly governance dashboards linking cybersecurity KPIs to project delivery metrics.

These efforts not only reinstated client and insurer trust but also positioned Stonebridge as a leader in cybersecurity compliance within Canada’s construction sector. By integrating governance directly into project operations, the company improved its risk posture, minimized disruptions, and built a sustainable culture of accountability.

Implementation Roadmap

1. Assessment (Weeks 1–3): Review governance maturity across head office and jobsites; inventory devices, apps, and third parties.

2. Framework Design (Weeks 4–6): Draft charter, define RACI, approve policies for MDM, access, IR, and third-party risk.

3. Deployment (Weeks 7–12): Roll out MDM, network segmentation for trailers, MFA for cloud suites, and central risk register.

4. Training (Weeks 13–16): Executive and field leadership sessions; tabletop exercises tailored to project operations.

5. Continuous Monitoring (Ongoing): Quarterly governance reviews; supplier attestations; annual audits tied to ISO/NIST mappings.

Info Sheet

Necessary Action Type and Steps to Be Taken:

  • Immediate containment: Isolate jobsite trailer networks; revoke shared credentials; enforce MDM enrollment and remote wipe.
  • Governance framework update: Formalize cyber governance with executive sponsorship and clear reporting lines to the board.
  • Policy modernization: Approve MDM, privileged access, incident reporting, and change control policies tailored to project workflows.
  • Third-party risk: Require subcontractor security attestations and minimum controls in contract language; track in the risk register.
  • Audit readiness: Maintain evidence repositories for policies, reviews, and incident logs; align with insurer questionnaires.
  • Training and awareness: Brief executives, PMs, supers, and site admins on privacy obligations and contractual security clauses.

Industry Sector:

Construction — General Contracting, Design-Build, and Civil Infrastructure

Applicable Legislation:

  • PIPEDA (Personal Information Protection and Electronic Documents Act)
  • Quebec Law 25 (Act to modernize legislative provisions as regards the protection of personal information)
  • Provincial procurement and public-owner cybersecurity clauses for critical infrastructure projects
  • Standards alignment: ISO/IEC 27001; NIST Cybersecurity Framework

Third Parties:

  • Cloud collaboration suites for design files and RFIs.
  • Managed network and MDM providers supporting jobsites.
  • External auditors for ISO and compliance certifications.
  • Insurance underwriters and surety providers reviewing governance posture.
  • Subcontractors and vendors providing cybersecurity attestations.