IT for Clark County construction firms — jobsite Wi-Fi, Procore, ransomware risk

If you run a general contractor or specialty sub in Clark County, your IT problems are not the same as the law firm down the street. The office is half the operation. The other half is on a jobsite, in a pickup, or in the dirt — and that half is where most construction IT projects fall over.

This is the practical guide for owners, ops managers, and office managers running construction IT in Vancouver, WA. We'll walk through the four problems that actually matter: jobsite Wi-Fi failure modes, the Procore + Sage stack, ransomware risk via submittal PDFs and AP phishing, and mobile-device loss. Then a 30-day pilot framing and an FAQ.

1. Jobsite Wi-Fi failure modes

Jobsite Wi-Fi is its own discipline. The office IT playbook does not transfer. Here are the failure modes I see most often on Clark County and Portland-area jobsites.

The "consumer router in a job trailer" problem

Someone bought a $79 router at Costco, plugged it into a 4G hotspot, and called it good. It works fine for the first week. Then the superintendent loads a 200MB Procore drawing on his phone, two laptops are on Teams calls, the surveyor is uploading scans, and the whole thing falls over. Consumer routers were never designed for 12 simultaneous users plus IoT devices on a metered cellular link.

The single-carrier dead-zone problem

Your trailer is parked at the corner of a site that has decent Verizon coverage and zero T-Mobile coverage. The hotspot is T-Mobile. Three weeks of frustration follow. The fix is dual-SIM or dual-carrier failover routers (Cradlepoint, Peplink, Inseego), which actively bond or fail over between carriers. They cost more than the Costco router. They pay for themselves the first time the foreman doesn't have to drive to a McDonald's to upload a daily report.

The "private APN we can never reach" problem

Some carriers offer private APNs that look great on paper. Then the field tablet can't reach Procore, or can reach Procore but not Bluebeam Studio, and nobody can tell you why. We've untangled enough of these that the rule is: only use a private APN if you have a real reason (compliance, federal job, IoT fleet) and you have someone available to support it.

The "no signal in the building shell" problem

Concrete + steel = no signal inside. Your trailer Wi-Fi covers the parking lot, not the third floor where the framers actually need to look up an RFI. The fix is on-site mesh (outdoor-rated APs, weatherized, PoE-fed from the trailer) or a temporary cellular booster. Mesh is the right answer if you'll be there 6+ months. Booster is the right answer if you'll be there 6 weeks.

The "data plan tripled" problem

Cloud video, point-cloud uploads, and 4K photos eat data fast. The hotspot plan you signed up for in January is throttled by April. Either upgrade the plan, push large uploads to overnight when the trailer is empty, or push them through the office connection at end-of-day sync.

The right jobsite-Wi-Fi answer depends on project length, crew size, and which apps actually need to work in the field. A 14-month tilt-up needs a different setup than a 6-week tenant improvement.

2. The Procore + Sage stack basics

The canonical Clark County GC stack we see is Procore for project management plus Sage 100 Contractor or Sage 300 CRE for accounting, with a Microsoft 365 tenant in the middle holding email, files, and identity. There are variations — Buildertrend instead of Procore, Foundation or Acumatica Construction instead of Sage — but the IT shape is the same.

Procore

Procore is cloud-hosted and largely takes care of itself. The IT work around Procore is identity (SSO from Microsoft 365, MFA, conditional access), user provisioning and de-provisioning when foremen come and go, and integration plumbing — Procore-to-Sage for budget and cost data, Procore-to-Bluebeam or PlanGrid for drawings, Procore-to-DocuSign for contracts. Most projects fail at the integration plumbing, not at Procore itself.

Sage

Sage 100 Contractor and Sage 300 CRE are mostly on-premise or in a private-hosted environment. That means a server, a backup, a VPN or remote-access posture, and a patching cadence. Sage versions matter — Sage 100 Contractor v25 is not v22. Updates require care. Most construction-focused MSPs (us included) keep a Sage upgrade calendar so the firm isn't surprised by an end-of-life version.

Microsoft 365 in the middle

The tenant is the hub. Email, OneDrive, SharePoint, Teams, identity, MFA. If you do nothing else this quarter, get every user on MFA and verify your tenant backup is running. Microsoft does not back up your tenant. We have helped two GCs in the last year recover from "I deleted three years of project email" — both recoveries depended on a third-party backup that someone had set up before the incident. Without that, the data is gone after Microsoft's retention window.

Field tablets and field-friendly licensing

Foremen and PMs in the field usually need full M365 + Procore + Bluebeam. Office staff need full M365 + Procore + Sage. Estimators need M365 + Procore + Bluebeam Revu + sometimes On-Screen Takeoff. Owners and execs need everything plus DocuSign and reporting. Sorting licenses by role rather than by name saves money and makes onboarding new hires a 10-minute job instead of a 90-minute scavenger hunt.

3. Ransomware via submittal PDFs

The most common ransomware vector in construction right now is not what most people think. It's not a Russian hacker breaking into your firewall. It's a submittal email.

Here's how it plays out. Your AP coordinator gets an email from "a sub" with a PDF attachment titled Submittal_Approved_Insurance_Cert_2026.pdf. The email looks legitimate — it references the actual project name (which is public on permit records) and uses a vendor name that's plausible. The PDF either contains an embedded payload or a link to a "secure portal" where the user is asked to sign in. Either path leads to credential theft or malware execution.

From there the attacker pivots: they read the inbox to learn AP rhythm, they reset MFA if MFA is weak, they sit and watch for an opportunity to either redirect a wire payment or stage encryption. Construction firms are attractive targets because: (a) AP volumes are high and look noisy, so a fraudulent invoice blends in; (b) wire payments to subs are normal; (c) project teams trust submittal PDFs by reflex.

What actually works to stop this:

• MFA on every account, no exceptions. Including the owner. Including the bookkeeper who hates it. Conditional-access policies that block legacy authentication.
• EDR on every endpoint with behavioral detection, so a malicious PDF that fires up PowerShell gets caught before it spreads.
• Mail filtering tuned for construction. Our default tenant policy blocks attachment types that AP doesn't need to receive. PDFs go through sandbox detonation. Suspicious links get rewritten.
• A submittal-handling SOP: AP confirms unusual submittals or invoice changes by phone using a number from your existing vendor record, not a number in the email. This single habit blocks most AP fraud.
• A tested backup, including the M365 tenant and any on-prem Sage server. Tested means somebody actually restored a file in the last 90 days. Untested backups are the worst kind of false security.

4. AP phishing via vendor invoices

The cousin of ransomware-by-submittal is AP phishing — and the dollar exposure here is often larger. The attacker doesn't encrypt anything. They just change a wire-routing number on an invoice that looks identical to a real one from a real vendor.

The variation we see most often: attacker compromises a sub's email tenant, sits in the inbox for two weeks, learns the AP coordinator's name at the GC, and sends a "we updated our banking" email with a real-looking PDF on real letterhead. The wire goes out. By the time the sub calls asking why they haven't been paid, the funds have been moved twice and are uncatchable.

The control set for this is largely procedural with an IT backbone:

• Any banking change requires a phone confirmation to a known number, full stop. No exceptions for "the deal is closing today."
• Dual approval on wires above a threshold (we usually recommend $5,000 for construction).
• Display-name spoofing detection in mail filtering, so an email "from" Justin Oberg that's actually from a lookalike domain gets flagged.
• DMARC, SPF, and DKIM on your own outbound mail, so attackers can't impersonate your domain to your subs.
• Annual phishing-simulation training for AP and PMs. The repeat clickers are your training priority.

None of this is exotic. All of it works. The firms that get hit are the firms that hadn't gotten around to setting it up yet.

5. Mobile-device loss controls

Phones and tablets get left in pickup beds, dropped off scaffolding, lifted from job trailers, and forgotten in coffee shops. Construction has more device loss per employee than almost any other industry. The IT controls are non-negotiable.

The minimum baseline

• MDM on every device that touches corporate data. Microsoft Intune is included with most M365 Business Premium licenses. Use it.
• Conditional access that blocks corporate data on non-managed devices.
• Selective wipe capability, so when the foreman's personal phone (which had his Outlook on it) gets stolen, you wipe the corporate side and leave his family photos alone.
• Encryption on every laptop. BitLocker on Windows, FileVault on Mac. Recovery keys escrowed centrally.
• Auto-lock at 5 minutes on phones, 10 minutes on laptops.

What it looks like the day a device is lost

Foreman calls the office at 6:42pm. His company iPad fell off the truck somewhere on I-205. By 6:48pm we've issued a remote wipe through Intune, revoked the device's M365 sessions, and confirmed nobody can sign in from it. Tomorrow we issue a replacement; the data syncs back from OneDrive in about an hour. Total exposure: 6 minutes. Without MDM that same scenario is a multi-week incident response question.

The 30-day construction-IT pilot

For construction firms, the 30-day pilot is shaped a little differently than the generic SMB version (which we cover in detail in the managed IT in Vancouver, WA post).

1. Week 1 — Discovery, including jobsites. We inventory office IT plus walk one or two active jobsites. We look at trailer Wi-Fi, field-tablet posture, MFA coverage on PMs and foremen, Procore and Sage versions, backup status, and the AP-fraud control posture.
2. Week 2 — Onboarding and quick wins. RMM, EDR, backup, MDM agents deployed across the fleet. Mail filtering tightened. Any user without MFA gets enrolled this week.
3. Week 3 — Stabilization. The AP team gets a 30-minute training on submittal and wire-change verification. Field tablets enrolled in Intune. Sage server reviewed for patch and backup status.
4. Week 4 — Review. We sit down with the owner and ops lead, look at ticket data and the discovery report, and decide whether to continue. Same-day response, business hours, month-to-month after the pilot.

The pilot is paid at the standard $99/user/month rate, with a 10-user minimum. Project work — for example a Cradlepoint trailer-Wi-Fi rollout, a Sage version upgrade, or a full M365 tenant rebuild — is scoped separately, with our $25K project floor.

Frequently asked questions

Do you actually understand Procore and Sage, or are you "construction-friendly"?

We support both as standard line-of-business apps for our construction clients. Procore is cloud-hosted; the work there is identity, integrations, and field access. Sage 100 Contractor and Sage 300 CRE we support on-premise and hosted, including version upgrades and integration plumbing to Procore. We don't sell Procore or Sage — we make sure they work.

Can you set up Wi-Fi at our jobsites?

Yes. We scope trailer Wi-Fi as a project (typically $4K–$15K depending on size, length, and whether you need outdoor mesh, dual-carrier failover, or both). We standardize on Cradlepoint or Peplink for cellular routing and Ubiquiti or Meraki for site mesh. We document each site so when a tablet stops working, we can troubleshoot in five minutes instead of an hour.

What about CMMC or federal-job compliance?

If you're chasing federal contracts (Corps of Engineers, GSA, VA work), CMMC will eventually apply. The IT baseline we deploy gets you most of the way to CMMC Level 1; Level 2 requires additional documentation, GCC High M365 in some cases, and formal assessment. We scope that as a compliance project. Don't wait until the contract requires it — the timeline is months, not weeks.

What's the typical Clark County GC IT spend?

For a 15–40-user GC with one main office and 2–6 active jobsites at any time, total IT operating spend (managed services + M365 licenses + EDR + backup + jobsite Wi-Fi + Procore + Sage) typically runs $4,500–$11,000 a month all-in. The managed-services line is only one piece. The savings usually come from consolidating vendors and right-sizing licenses, not from cutting corners.

We just got a phishing email last week. Are we behind?

Probably not behind — phishing emails are constant. The question is whether you have MFA, EDR, and a tested backup. If yes to all three, a phishing email that gets clicked is a contained incident. If no to any of them, it can be a cash-flow-ending event. The first call is free; we'll tell you which side of the line you're on.

Where do I read more?

For the full vertical landing page, see IT for construction firms in Clark County. For pricing and project floors, see the pricing page. For the broader services menu, see the services page.

The good news: the controls that protect a construction firm from ransomware, AP fraud, and lost-device exposure are not exotic. They are MFA, EDR, MDM, mail filtering, tested backups, and a phone-call habit on banking changes. The firms that get hurt are the firms that put off setting them up — and Clark County has been a target for two years running.

Related reading: Managed IT in Vancouver, WA — what $99/user/month actually buys. For broader cybersecurity baselines, see The Small Business Cybersecurity Checklist. For backup and recovery thinking, see Why Backups Aren't Enough.