Construction & Real Estate in the Maldives: Your IT Supply Chain Is a Security Risk

A major resort development in the Maldives involves dozens of contractors, consultants, and suppliers. The main contractor brings sub-contractors for civil works, MEP, interiors, and landscaping. Project managers use a shared Procore or Aconex environment. Procurement teams work in a shared ERP. The developer's finance team shares financial models with the lender's due diligence team. The architect's firm has access to the building information management system.

Each of those relationships requires granting system access to people who aren't your employees. And most construction and real estate organizations in the Maldives have no formal process for managing that access — how it's granted, what scope it covers, how long it lasts, and what happens when the relationship ends.

This is the IT supply chain risk problem, and it's more consequential than it sounds.

Why construction and real estate are targets

The financial values in construction and real estate are large. A single development project represents hundreds of millions of dollars in transactions. The organizations involved handle wire transfer authorizations, payment certificates, invoice approvals, and contract variations — all of which are targets for financial fraud.

Business email compromise (BEC) is the most common attack type in construction. An attacker compromises or impersonates the email account of a project manager, quantity surveyor, or accounts payable contact. They intercept a payment request or generate a fraudulent one. The recipient — typically another party in the same project — transfers funds to the attacker's account rather than the legitimate recipient.

BEC attacks in construction work because:

• Large, irregular payments are normal. A $400,000 payment certificate to a contractor isn't unusual.
• Multiple parties are involved in payment approvals, creating confusion about who has confirmed what.
• Email chains are long and complex, making it harder to notice a subtle change in an email address.
• The organizations involved vary in their security maturity — a sophisticated developer might be dealing with a sub-contractor whose email security is minimal.

The FBI's Internet Crime Complaint Center consistently reports BEC as the highest-dollar cybercrime category. Real estate transactions (including development finance) are a specific subsector called out in their annual reports.

The third-party access problem

Beyond fraud, unmanaged third-party access creates data exposure and operational risks that are harder to see until after something goes wrong.

When a contractor is granted access to a project management platform, that access typically:

• Gets set up quickly under time pressure with whatever permissions are "good enough"
• Has no defined expiry date
• Is never reviewed after initial creation
• Remains active after the contractor's scope of work is complete
• Sometimes gets shared — the contractor gives their login to a sub-contractor's employee for convenience

Over the course of a multi-year development project, you accumulate dozens of active accounts held by people who are no longer current or relevant. Each of those is a potential entry point: for an attacker who compromises the contractor's systems, for a disgruntled former contractor, or simply for credentials that end up in a breach database when the contractor's email provider is compromised.

The 2020 SolarWinds attack made "supply chain attack" a mainstream term. The concept is simple: if your direct security controls are strong but your vendors' are weaker, attackers target the vendors to reach you. Construction supply chains have the same dynamic — a sophisticated developer may be reachable through a smaller contractor with poor email security and a shared password.

What access control looks like in practice

Managing third-party access doesn't require a security operations team. It requires a process.

Inventory of active third-party accounts. Start by documenting who has access to what. Most organizations discover accounts they'd forgotten about. This is the starting point for everything else.

Role-based permissions. Contractors should have access to the systems and data they need for their specific scope of work — not administrator access to the whole project platform because it was easier to set up. Most project management and ERP platforms support granular permissions. Use them.

Access with defined end dates. When a contractor's scope ends, their access ends. This sounds obvious, but it requires either a manual process or automation. The common default is "we'll turn it off when we get around to it," which in practice means many accounts are never turned off.

Separate accounts per contractor. Shared accounts (a generic "Contractor1" login used by multiple people) make audit logging useless. If you can't tell who took an action, you can't investigate suspicious activity or demonstrate to auditors that your access controls are functioning.

MFA for platform access. Any platform that handles financial approvals, contract documents, or sensitive project data should require multi-factor authentication for all users, including contractor accounts. This is the single most effective control against compromised credentials.

Payment verification procedures

The technical controls matter, but the highest-impact single intervention for BEC prevention is a procedural one: verify payment destination changes by phone before executing them.

If a payment instruction or banking detail change arrives by email — regardless of how legitimate the email looks — call the sender at a number you already have on file (not a number in the email) to confirm. This step alone defeats the majority of BEC attacks, which rely entirely on the target processing a fraudulent email without verification.

This procedure needs to be documented, trained, and consistently applied — not just understood by the security-conscious members of the finance team. BEC attacks often target the people who don't know about the verification procedure.

Contractual requirements as a lever

Large developers and lenders have a lever that smaller organizations don't: they can make basic security requirements a condition of contract. Requiring contractors to use MFA, prohibiting password sharing, and mandating prompt notification of security incidents are reasonable contractual terms that shift the baseline upward for the entire supply chain.

This approach is common in more mature industries. Financial services institutions require SOC 2 reports or security questionnaire completion from vendors who access their systems. Infrastructure operators require ISO 27001 certification from critical suppliers. Construction in the Maldives hasn't typically operated this way, but as the projects get larger and the financial stakes higher, the expectation is moving.

Third-party risk management is part of what we address in our CISO advisory and risk assessment services. If you're managing a large development project or a real estate portfolio with significant contractor access to systems, get in touch.