Construction workers and safety expert discuss cybersecurity and virus threats at a busy building site.

6 Questions Smart Construction Companies Ask Their IT Provider Every Quarter

July 13, 2026

6 Questions Smart Construction Companies Ask Their IT Provider Every Quarter

If you're only talking to your IT provider when something breaks, you're already behind.

I understand why.

You've got projects moving, crews working, subcontractors calling, schedules changing, and paperwork piling up. The last thing you want is another meeting about technology.

But here's the part most people don't talk about.

Technology isn't really an IT issue anymore.

It's a business risk issue.

A ransomware attack can stop payroll. A missing document can turn into a dispute. A former employee with active access can create problems nobody sees coming. A failed backup can stall a project when everyone assumes recovery is simple.

That's why I believe every construction company should have a quarterly IT review.

Not to talk about software.

To talk about risk.

These are the six questions I'd ask every quarter.

Question 1: What Security Problems Do We Need To Address Right Now?

Most problems don't start loud.

They start with a shared password.

An unpatched laptop.

An old account that still has access.

A superintendent using a personal phone that isn't protected.

Ask your IT provider:

  • What security risks need attention right now?
  • Have there been unusual login attempts?
  • Which users or devices create the most risk?
  • What issues have been fixed since our last review?

You want specifics.

Not, "Everything looks good."

A strong answer includes facts, dates, and actions already taken.

What Good Answers Actually Sound Like

Question

Good Answer

Bad Answer

Security

"We blocked three suspicious login attempts last month."

"Nothing major happened."

MFA

"100% of Microsoft 365 users have MFA enabled."

"Most people have it."

Device Security

"Four field tablets are missing recent updates and are being remediated."

"The devices should be okay."

Account Reviews

"Administrative accounts were reviewed last quarter."

"We haven't looked recently."

If answers are vague, risk is usually vague too.

And vague risk has a habit of becoming expensive.

Question 2: Have You Tested Our Backups Recently?

A backup that hasn't been tested is a theory.

I've seen good companies discover this at exactly the wrong time.

Everyone assumes recovery will be easy until someone needs a file, a server fails, or ransomware locks access to critical records.

Then the real question becomes:

"How quickly can we get back to work?"

Ask:

  • When was the last recovery test?
  • What was restored?
  • How long did recovery take?
  • What systems were included?
  • What systems were excluded?

Useful Benchmarks

Most companies should consider these minimum standards:

  • Backup recovery tested at least quarterly
  • Critical data recoverable within a few hours, not days
  • Microsoft 365 data included in backup coverage
  • Recovery procedures documented and reviewed annually
  • Backup success reports reviewed monthly

If your provider cannot tell you the last time recovery was tested, that's a red flag.

A Real Example

A commercial contractor lost access to project closeout documentation after an employee left the company.

Nothing was hacked.

Nothing failed.

The employee's account was removed, but permissions attached to that account disappeared with it.

The company spent several days rebuilding access and validating file versions before closeout could continue.

Most disruptions don't begin with disaster.

They begin with a routine process that nobody realized was broken.

Question 3: Where Is Technology Slowing Us Down?

Most productivity problems aren't dramatic enough to become emergency tickets.

Instead, they steal minutes all day long.

A project manager waits for large drawing files to open.

A superintendent can't sync photos at a job site.

A coordinator spends ten extra minutes searching for the correct revision.

Each delay feels small.

Together, they're expensive.

Ask:

  • What systems generate the most complaints?
  • Are we outgrowing current hardware?
  • Which workflows require workarounds?
  • Are job site devices performing properly?
  • Are large files syncing reliably?

Technology should help crews move faster.

Not teach them to tolerate inconvenience.

Question 4: Would Our Systems Hold Up Under Scrutiny?

This is the question I wish more construction companies asked.

Not:

"Are we compliant?"

Instead:

"If an auditor, insurance carrier, attorney, or court reviewed our systems tomorrow, would we be comfortable with what they found?"

That's a much better question.

Construction businesses live on documentation.

Contracts.

Change orders.

RFIs.

Safety records.

Project communications.

Access logs.

Revision histories.

Ask your provider:

  • Can we prove who accessed project information?
  • Are document revisions tracked?
  • Are former employees removed promptly?
  • Are records retained appropriately?
  • Can we quickly locate the documents required for discovery?

When disputes happen, the company with stronger records usually sleeps better.

Question 5: Are We Meeting Cyber Insurance Expectations?

Here's something many construction companies overlook.

Cyber insurance requirements continue getting stricter.

Insurers increasingly want proof that security controls exist.

Not promises.

Ask your provider:

  • Can we demonstrate MFA coverage?
  • Do we have documented backup testing?
  • Is there a written incident response plan?
  • Are privileged accounts reviewed regularly?
  • Can we show evidence of user access reviews?

If your insurance provider requested proof today, could you produce it?

That's the question that matters.

Question 6: What Should We Budget For Before It Becomes Urgent?

Good planning prevents expensive surprises.

Your IT provider should be tracking:

  • Aging hardware
  • Expiring warranties
  • Software renewals
  • Security improvements
  • Infrastructure upgrades
  • Device replacement schedules

Useful benchmarks include:

  • Devices older than five years reviewed for replacement
  • Critical account removal completed within 24 hours of termination
  • MFA coverage target of 100%
  • Annual review of incident response procedures
  • Quarterly access reviews for critical systems

The goal isn't spending more.

The goal is eliminating avoidable emergencies.

Don't Forget These Construction-Critical Systems

Many IT reviews focus on computers and email.

That's necessary.

It's also incomplete.

Ask whether these systems are included in security reviews, backup planning, and access audits:

  • Procore
  • Autodesk Construction Cloud
  • Buildertrend
  • Sage
  • Viewpoint
  • Microsoft 365
  • GPS and telematics platforms
  • Document management repositories

I've seen companies secure their email environment while overlooking the systems that actually run projects.

Those blind spots create risk.

Construction IT Risk Scorecard

Before your next quarterly review, grade your organization.

Green

Documented process exists and is tested.

Yellow

Process exists but is inconsistent.

Red

No documented process.

Area

Green

Yellow

Red

Access Management

Backup Readiness

Job Site Connectivity

File Governance

Cyber Insurance Readiness

Vendor Security

If multiple categories land in yellow or red, that's where your next conversation should begin.

A One-Page Quarterly IT Review Template

Your provider should be able to deliver this summary every quarter.

Top Three Risks

Top Three Issues Resolved Since Last Review

Most Recent Backup Recovery Test

Date:

Recovery Time:

Systems Tested:

Items Requiring Budget Planning

Leadership Decisions Needed

If your quarterly review cannot fit on one page, it's often reporting activity instead of outcomes.

What I'd Do Next Week

Pick one active project.

Then trace the entire record trail.

Review the drawings, RFIs, change orders, emails, approvals, project photos, and subcontractor communications.

Now ask yourself a simple question:

If this project ended up in court next month, could we quickly find everything we needed without panic?

That exercise usually reveals more than any technology report.

The Real Purpose Of A Quarterly IT Review

You aren't having these conversations because you're trying to become an IT expert.

You're having them because you're responsible for the company.

You're responsible for keeping projects moving.

You're responsible for protecting records.

You're responsible for avoiding surprises that become expensive later.

The right IT provider helps remove that burden.

Not with more dashboards.

Not with more buzzwords.

With clear answers, tested processes, documented proof, and fewer things for you to worry about.

Schedule your 10 minute discovery call with 911 IT. We'll help you identify where your current systems may be exposed and where you're already protected. You'll leave with a clear picture of the risks that deserve attention now and the ones that can wait.