6 Questions Smart Construction Companies Ask Their IT Provider Every Quarter
If you're only talking to your IT provider when something breaks, you're
already behind.
I understand why.
You've got projects moving, crews working, subcontractors calling,
schedules changing, and paperwork piling up. The last thing you want is another
meeting about technology.
But here's the part most people don't talk about.
Technology isn't really an IT issue anymore.
It's a business risk issue.
A ransomware attack can stop payroll. A missing document can turn into a
dispute. A former employee with active access can create problems nobody sees
coming. A failed backup can stall a project when everyone assumes recovery is
simple.
That's why I believe every construction company should have a quarterly
IT review.
Not to talk about software.
To talk about risk.
These are the six questions I'd ask every quarter.
Question 1: What Security Problems Do We Need To Address Right Now?
Most problems don't start loud.
They start with a shared password.
An unpatched laptop.
An old account that still has access.
A superintendent using a personal phone that isn't protected.
Ask your IT provider:
- What security
risks need attention right now?
- Have there been
unusual login attempts?
- Which users or
devices create the most risk?
- What issues
have been fixed since our last review?
You want specifics.
Not, "Everything looks good."
A strong answer includes facts, dates, and actions already taken.
What Good Answers Actually Sound Like
|
Question |
Good Answer |
Bad Answer |
|
Security |
"We blocked three suspicious
login attempts last month." |
"Nothing major happened." |
|
MFA |
"100% of Microsoft 365 users
have MFA enabled." |
"Most people have it." |
|
Device Security |
"Four field tablets are missing
recent updates and are being remediated." |
"The devices should be
okay." |
|
Account Reviews |
"Administrative accounts were
reviewed last quarter." |
"We haven't looked
recently." |
If answers are vague, risk is usually vague too.
And vague risk has a habit of becoming expensive.
Question 2: Have You Tested Our Backups Recently?
A backup that hasn't been tested is a theory.
I've seen good companies discover this at exactly the wrong time.
Everyone assumes recovery will be easy until someone needs a file, a
server fails, or ransomware locks access to critical records.
Then the real question becomes:
"How quickly can we get back to work?"
Ask:
- When was the
last recovery test?
- What was
restored?
- How long did
recovery take?
- What systems
were included?
- What systems
were excluded?
Useful Benchmarks
Most companies should consider these minimum standards:
- Backup recovery
tested at least quarterly
- Critical data
recoverable within a few hours, not days
- Microsoft 365
data included in backup coverage
- Recovery
procedures documented and reviewed annually
- Backup success
reports reviewed monthly
If your provider cannot tell you the last time recovery was tested,
that's a red flag.
A Real Example
A commercial contractor lost access to project closeout documentation
after an employee left the company.
Nothing was hacked.
Nothing failed.
The employee's account was removed, but permissions attached to that
account disappeared with it.
The company spent several days rebuilding access and validating file
versions before closeout could continue.
Most disruptions don't begin with disaster.
They begin with a routine process that nobody realized was broken.
Question 3: Where Is Technology Slowing Us Down?
Most productivity problems aren't dramatic enough to become emergency
tickets.
Instead, they steal minutes all day long.
A project manager waits for large drawing files to open.
A superintendent can't sync photos at a job site.
A coordinator spends ten extra minutes searching for the correct
revision.
Each delay feels small.
Together, they're expensive.
Ask:
- What systems
generate the most complaints?
- Are we
outgrowing current hardware?
- Which workflows
require workarounds?
- Are job site
devices performing properly?
- Are large files
syncing reliably?
Technology should help crews move faster.
Not teach them to tolerate inconvenience.
Question 4: Would Our Systems Hold Up Under Scrutiny?
This is the question I wish more construction companies asked.
Not:
"Are we compliant?"
Instead:
"If an auditor, insurance carrier, attorney, or court reviewed our
systems tomorrow, would we be comfortable with what they found?"
That's a much better question.
Construction businesses live on documentation.
Contracts.
Change orders.
RFIs.
Safety records.
Project communications.
Access logs.
Revision histories.
Ask your provider:
- Can we prove
who accessed project information?
- Are document
revisions tracked?
- Are former
employees removed promptly?
- Are records
retained appropriately?
- Can we quickly
locate the documents required for discovery?
When disputes happen, the company with stronger records usually sleeps
better.
Question 5: Are We Meeting Cyber Insurance Expectations?
Here's something many construction companies overlook.
Cyber insurance requirements continue getting stricter.
Insurers increasingly want proof that security controls exist.
Not promises.
Ask your provider:
- Can we
demonstrate MFA coverage?
- Do we have
documented backup testing?
- Is there a
written incident response plan?
- Are privileged
accounts reviewed regularly?
- Can we show
evidence of user access reviews?
If your insurance provider requested proof today, could you produce it?
That's the question that matters.
Question 6: What Should We Budget For Before It Becomes Urgent?
Good planning prevents expensive surprises.
Your IT provider should be tracking:
- Aging hardware
- Expiring
warranties
- Software
renewals
- Security
improvements
- Infrastructure
upgrades
- Device
replacement schedules
Useful benchmarks include:
- Devices older
than five years reviewed for replacement
- Critical
account removal completed within 24 hours of termination
- MFA coverage
target of 100%
- Annual review
of incident response procedures
- Quarterly
access reviews for critical systems
The goal isn't spending more.
The goal is eliminating avoidable emergencies.
Don't Forget These Construction-Critical Systems
Many IT reviews focus on computers and email.
That's necessary.
It's also incomplete.
Ask whether these systems are included in security reviews, backup
planning, and access audits:
- Procore
- Autodesk
Construction Cloud
- Buildertrend
- Sage
- Viewpoint
- Microsoft 365
- GPS and
telematics platforms
- Document
management repositories
I've seen companies secure their email environment while overlooking the
systems that actually run projects.
Those blind spots create risk.
Construction IT Risk Scorecard
Before your next quarterly review, grade your organization.
Green
Documented process exists and is tested.
Yellow
Process exists but is inconsistent.
Red
No documented process.
|
Area |
Green |
Yellow |
Red |
|
Access Management |
☐ |
☐ |
☐ |
|
Backup Readiness |
☐ |
☐ |
☐ |
|
Job Site Connectivity |
☐ |
☐ |
☐ |
|
File Governance |
☐ |
☐ |
☐ |
|
Cyber Insurance Readiness |
☐ |
☐ |
☐ |
|
Vendor Security |
☐ |
☐ |
☐ |
If multiple categories land in yellow or red, that's where your next
conversation should begin.
A One-Page Quarterly IT Review Template
Your provider should be able to deliver this summary every quarter.
Top Three Risks
Top Three Issues Resolved Since Last
Review
Most Recent Backup Recovery Test
Date:
Recovery Time:
Systems Tested:
Items Requiring Budget Planning
Leadership Decisions Needed
If your quarterly review cannot fit on one page, it's often reporting
activity instead of outcomes.
What I'd Do Next Week
Pick one active project.
Then trace the entire record trail.
Review the drawings, RFIs, change orders, emails, approvals, project
photos, and subcontractor communications.
Now ask yourself a simple question:
If this project ended up in court next month, could we quickly find
everything we needed without panic?
That exercise usually reveals more than any technology report.
The Real Purpose Of A Quarterly IT Review
You aren't having these conversations because you're trying to become an
IT expert.
You're having them because you're responsible for the company.
You're responsible for keeping projects moving.
You're responsible for protecting records.
You're responsible for avoiding surprises that become expensive later.
The right IT provider helps remove that burden.
Not with more dashboards.
Not with more buzzwords.
With clear answers, tested processes, documented proof, and fewer things
for you to worry about.
Schedule your 10 minute discovery call with 911 IT. We'll help you
identify where your current systems may be exposed and where you're already
protected. You'll leave with a clear picture of the risks that deserve
attention now and the ones that can wait.
