Cybersecurity for AEC Firms During COVID 19 Pandemic

By Wayne Swafford

In the wake of COVID-19, another threat is increasing exponentially in the architecture, engineering and construction (AEC) industry – hacking. Over the last three months, AEC companies and public agencies have seen a surge in COVID-19-related cyberattacks due to the vulnerabilities associated with sudden and widespread remote work.

Cybersecurity – the multilayered approach to securing a technology environment to preserve the data and the integrity of our devices in the digital space – has never been more important to an AEC firm than it is now. With most of an AEC firm’s intellectual property, such as files, drawings, models and contracts, residing in the digital space, hackers now have a greater ability to get their hands on this information if proper cybersecurity is not practiced.

Consider, for instance, if a hacker can access the design files for a bridge under construction and holds that information for ransom. Or imagine if a cybercriminal obtains design information that will allow access into a bus rapid transit system. The hacker can then tap into the transit agency’s network and create mass disruption.

In recent years, cities such as Atlanta, New Orleans and Baltimore have been plagued by cybersecurity threats. Ransomware attacks have forced their networks to be shut down temporarily, resulting in millions of dollars spent on data recovery. Consequently, to protect their networks, clients are now demanding more robust cybersecurity programs from consultants and contractors. Federal agencies, and soon state and municipal clients, will require firms to adhere to higher security compliance levels as defined by the Department of Defense Cybersecurity Maturity Model Certification. To meet these requirements, AEC firms must step up their existing cybersecurity measures that address the ways information is shared and stored. Some of the cybersecurity measures that firms can implement include:

• Security Training: One of the most effective ways to protect your firm from cyberattacks is to educate your employees. Live in-person security training, mandatory cybersecurity training courses and fire drills such as phishing tests can shore up a company’s cyber defenses. During these training exercises, employees can be taught how cyberattacks have evolved over the years from phishing e-mails to impersonating voice mails to imitating LinkedIn pages. Furthermore, firms should also have a cybersecurity policy that helps employees understand the responsible use of e-mails, company data, internet, and social media.
• Multifactor Authentication: Firms can deploy multifactor authentication where multiple steps are needed to access company-owned networks. This makes it significantly more difficult for hackers to get into company systems and reduces the risk of simple attacks by as much as 90 percent.
• Patching: Firms need to make sure that they are up to date with the latest software patches needed to support their operating systems. A rigorous security patch management/update schedule can go a long way toward foiling different kinds of cyberattacks on a firm’s network infrastructure.
• Penetration Testing: This is a proactive approach that works in concert with patching. A penetration test is when a firm engages an outside consultant to hack into its network (called ethical hacking) and check the firm’s cyber defenses. Based on the results of this testing, the firm can then make the necessary corrections.
• Intrusion Detection/Intrusion Prevention: This allows a firm to identify digital patterns in your network and then associate those patterns with employees’ activities to gather a baseline. The system will trigger an alert if the baseline pattern is not followed. For example, if someone from accounting who doesn’t ever access project files suddenly downloads 10 GB of project information, the firm’s warning system will be immediately alerted.
• Cyber Insurance: While the above steps are important measures, they still don’t guarantee a fool-proof cybersecurity system. Consequently, firms should invest in cyber insurance to protect themselves in the event of a cyberattack that might compromise their digital assets.

People and intellectual property are the biggest assets for an AEC firm. A cyberattack can create significant financial, operational and reputational impacts to these assets. As COVID-19 has made working from home and other locations essential, more work is being performed outside the confines of the office firewall. This distributed work environment has increased the need for more sophisticated cybersecurity. By implementing some or all of the measures listed above, AEC firms can provide greater cybersecurity for their employees and clients while increasing their competitive advantage.

Wayne Swafford, P.E., is the President of Lockwood, Andrews & Newnam, Inc. (LAN), a national planning, engineering and program management firm. He can be reached at WayneSwafford@lan-inc.com.