Cybersecurity for AEC Firms

Posted on: 08/05/22
Written by: Nathaniel C. Gravel, CISA, CISM, CRISC
Topics: Technology

With news headlines filled with reports of cyberattacks shutting down everything from fuel pipelines, to food distribution, to internet services, it is not unthinkable that your architectural firm, engineering firm, or construction company could become the next victim.

Increasingly sophisticated cyber criminals have the technology and resources to attack any organization, of any size, in any location.

If you are relying on the size of your company or the nature of architectural, engineering or construction work to make you less likely to be a target, think again. In 2020, a ransomware attack forced a London-based architectural firm to take its network offline, disrupting remote operations that had been instituted during the Covid-19 crisis. The cyber criminals who breached the firm’s server attempted to extort money after stealing confidential information. They encrypted internal company data and said it would only be released if the ransom was paid. The ransom message included screenshots of compromised payroll data and other financial information. Although the firm’s data was backed up, it was unsure of how much information had been stolen, and principals worried that additional ransom demands would be made in the future.

This example of a business being targeted by unscrupulous cyber criminals hits home for architectural and engineering firms, demonstrating the need for firms of all sizes to invest in cybersecurity and security awareness training. Smaller companies typically have fewer resources to defend themselves against cyberattack, and the damage done is often more devastating. Half of all SMBs that suffer a cyberattack go out of business within six months. This is certainly a risk to which we all need to pay attention.

What is at risk from a cyberattack? That depends largely on the type of attack. At the very least, your business is going to suffer a period of disruption that can range from being a nuisance to complete shutdown. Here are the most common forms of attack.

• Phishing or Malicious Email – Nobody is immune from being “spoofed” by an email that looks legitimate but is designed to penetrate your company’s network. That’s why 95% of cyber penetration is made via email. Think you are too smart to be fooled? An estimated 30% of phishing emails are opened.

Cyber thieves have become experts at making emails appear to be from a colleague or friend, or someone management, or a customer. They may include a link or attachment that looks innocent but surreptitiously plants malicious files into your system. There they may lay dormant for days, weeks, or months before being activated to access data, steal valuable information, or disrupt your communications.

• Data Compromise and Exfiltration – If a criminal organization penetrates your network and gains access to your files your risk is extremely high that personally identifiable information (PII) will be stolen. PII can range from employee social security numbers, to customer financial data, to vendor bank accounts used for ACH transfers. These credentials can appear on the “dark web” within hours of a breach, being bought and sold in batches. The information is exploited to make purchases, open new credit cards, file false tax returns – and any number of illegal and costly uses.

A data breach can be extremely costly for many reasons. For example, in most states the party holding the information – you – can be fined thousands of dollars per day, per data file until the breach is resolved. You will be required to formally notify all individuals whose data was potentially accessed and assist them in monitoring their credit reports to watch for suspicious activity. Perhaps most costly in the long term is the embarrassment your business will suffer through public exposure of the breach, which can permanently damage the trust in which you are held.

• Ransomware – Although ransomware attacks make for bold headlines, the ransoms themselves are seldom huge; the average ransom payment for an SMB is about $130,000. Cyber criminals know that they are much more likely to get paid if their demands are reasonable and affordable, and many businesses quietly pay the price. The real cost of a ransomware attack comes in the loss of access to your network and information. How many days can you survive without the use of your computers? How long will it take you to reconstruct any lost data? Now that you have been targeted, how much will you need to spend to secure against future attacks?

• Credential Theft and Account Takeover – As we continue to rely on web-based applications and cloud infrastructure to carry out operations and deliver services to customers, we become increasingly susceptible to credential theft and account compromise. Usernames and passwords to web-based applications are stolen daily and are used to take over your online accounts. With critical business applications like e-mail and accounting systems now residing in the cloud, credential theft and account takeover can have a detrimental impact on your organization’s reputation and financial position.

What can you do to protect your firm against a cyberattack? Here are five steps to take to become more resilient to cyberattacks.

1. Gap Assessment – The first thing to do is identify the places and ways a cybercriminal might be able to access your system. An end-to-end review of vulnerabilities, which should include a penetration test, will give you a basis for deciding where you need to shore up your defenses.

2. Employee Training – With 95% of intrusions being made through individual error it is essential that you implement a formal training program for all staff members. A training “stack” can help better prepare your people to recognize phishing attempts, spoofed emails, and suspicious attachments. Be sure to include refresher training, as threats are constantly changing and becoming more sophisticated.

3. Testing – Don’t just assume your systems are secure and employees are following the rules they have learned. Regular vulnerability assessment, penetration testing, and simulated phishing exercises will help identify and close control gaps before attackers are able to exploit them.

4. Patching – If you are still running an older version of any type of software you should immediately update to the latest version, which should include patches and security updates.

5. Layered Security/Defense in Depth – Many companies are still taking an unbalanced approach to defining and implementing their cybersecurity strategy, putting too much confidence in too few security measures, most of which are geared toward preventing cyberattacks. A well-balanced cybersecurity strategy looks beyond simple preventative controls and also considers the organization’s detection and response capabilities. A more comprehensive security strategy generally leads to better investments and an overall improvement in the organization’s security posture.

With odds seemingly stacked in favor of hackers and cyber criminals, it is only a matter of time before your organization falls victim to an attack. But a comprehensive cybersecurity strategy and a well-implemented information security program can help you minimize the impact to your organization and get you back to business quickly.

Nathaniel Gravel is a cybersecurity expert and consultant with Gray, Gray & Gray, LLP, a consulting, accounting and business advisory firm based in Canton, MA that serves the architectural, engineering and construction industries. He can be reached at

September 8, 2023

PSMJ Honors A/E Firms Consistently Achieving Circle of Excellence Status

PSMJ Resources, Inc., the world’s leading authority on architecture, engineering, and construction firm management, recently announced sixty-eight exceptional architecture and..

Read More
August 28, 2023

PSMJ Announces 2023 Premier Award for Client Satisfaction Winners

PSMJ Resources, Inc. has announced the winners of the 2023 Premier Award for Client Satisfaction, which honors architecture and engineering firms that deliver a truly exceptional..

Read More
August 25, 2023

Ruby+Associates wins PSMJ’s 2023 A/E/C Building a Better World Award

PSMJ Resources, Inc., the world’s leading authority on effective and profitable architecture and engineering firm management practices, announces Ruby+Associates, Inc. Structural..

Read More