Cybersecurity for AEC Firms

by Nathaniel C. Gravel

With news headlines filled with reports of cyberattacks shutting down everything from fuel pipelines, to food distribution, to internet services, it is not unthinkable that your architectural firm, engineering firm, or construction company could become the next victim. Increasingly sophisticated cyber criminals have the technology and resources to attack any organization, of any size, in any location. The most common forms of attack include phishing or malicious email, data compromise and exfiltration, credential theft, and ransomware.

The size of your firm or the nature of architectural, engineering or construction work are no guarantee of safety. In 2020, a ransomware attack forced a London-based architectural firm to take its network offline. The cyber criminals attempted to extort money after stealing confidential information. Although the firm’s data was backed up, it lost several days of work and was unsure of how much information had been stolen or that additional ransom demands would not be made in the future.

This example of a business being targeted by unscrupulous cyber criminals hits home for architectural and engineering firms, demonstrating the need for firms of all sizes to invest in cybersecurity defense and security awareness training. Half of all small- and medium-sized businesses that suffer a cyberattack go out of business within six months. At the very least, your business is going to suffer a period of disruption that can range from being a nuisance to complete shutdown.

What can you do to protect your firm against a cyberattack? Here are five steps to take to become more resilient to cyberattacks.

1. Gap Assessment – The first thing to do is identify the places and ways a cybercriminal might be able to access your system. An end-to-end review of vulnerabilities, which should include a penetration test, will give you a basis for deciding where you need to shore up your defenses.
2. Employee Training – With 95% of intrusions being made through individual error, it is essential that you implement a formal training program for all staff members. A training “stack” can help better prepare your people to recognize phishing attempts, spoofed emails, and suspicious attachments. Be sure to include refresher training, as threats are constantly changing and becoming more sophisticated.
3. Testing – Don’t just assume your systems are secure and employees are following the rules they have learned. Regular vulnerability assessment, penetration testing, and simulated phishing exercises will help identify and close control gaps before attackers are able to exploit them.
4. Patching – If you are still running an older version of any type of software you should immediately update to the latest version, which should include patches and security updates.
5. Layered Security/Defense in Depth – Many companies are still taking an unbalanced approach to defining and implementing their cybersecurity strategy, putting too much confidence in too few security measures, most of which are geared toward preventing cyberattacks. A well-balanced cybersecurity strategy looks beyond simple preventative controls to also consider the organization’s detection and response capabilities. A more comprehensive security strategy generally leads to better investments and an overall improvement in the organization’s security posture.

With odds seemingly stacked in favor of hackers and cyber criminals, it is only a matter of time before your organization falls victim to an attack. But a comprehensive cybersecurity strategy and a well-implemented information security program can help you minimize the impact to your organization and get you back to business quickly.

Nathaniel C. Gravel, CISA, CISM, CRISC is a cybersecurity expert and consultant with Gray, Gray & Gray, LLP.