flexiblefullpage -
billboard - default
interstitial1 - interstitial
Currently Reading

What AEC firms should look for in a cybersecurity partner

Security and Life Safety

What AEC firms should look for in a cybersecurity partner

When looking for expert partners in cybersecurity, AEC firms will find quite a lot of companies claiming to be at the forefront of modern threats. Here are five key points to look for when choosing a cybersecurity firm.

By Michael Smith, Director of IT Operations, HKS Inc. | July 5, 2022
What AEC firms should look for in a cybersecurity partner Photo Shutterstock
Photo: Shutterstock

The architecture, engineering and construction (AEC) industry is increasingly reliant on technology and the use of online networks to share project/client data and connect to third-party supplier networks, often doing so remotely from job sites. As we become more digital – the incorporation of several digital tools, technologies, and methods such as robotics, data analytics, additive manufacturing (AM), artificial intelligence (AI), internet of things (IoT), machine learning (ML), and drones – also means we are increasingly susceptible to cyber attacks. 

Past reported incidents include unauthorized access of a major retailer’s network through the mechanical contractor doing retrofit work on the HVAC system which lead to the exposure of about 40 million debit and credit card accounts, a data breach of personal sensitive information of employees of two well-known United States based construction companies, and compromised trade secrets of a construction elevator and escalator manufacturing firm.

Construction and related firms are not highly regulated, and since they haven’t historically been an “obvious target” for bad actors, the industry is often managing increasing cyber risk against unrealistic expectations. With multiple partners working together on a project, and the average cost of a data breach of $5.2 million, we cannot afford to simply put up the basic security walls any longer. More effective, customized security programs must be put in place. 

When looking for expert partners in cybersecurity, you’ll find quite a lot of companies claiming to be at the forefront of modern threats. I believe there are five key points to look for when choosing a cybersecurity partner to protect your livelihood and help security professionals sleep  at night. 

  1. Get a Partner, Not a Vendor: During the “interview” process, make sure you are getting a team behind you that will not just provide a service, but will be incorporated into your team for the long-run. A cybersecurity partner needs to feel they have skin in the game and you need to do a gut check against this metric. How invested do you feel they are in your success? We have had multiple occasions where we’ve asked our provider to investigate a threat that did not present itself by typical indicators of compromise. In every instance they went above and beyond what I would have considered a reasonable response. If they don’t consider an attack on you an attack on them, then you might want to reconsider those relationships. I want to be able to take a vacation and know that I have my own sheepdog guarding the chicken coup from the proverbial wolves!
  2. Customization and Flexibility: There is great need for customization of a cybersecurity program in the AEC space. Our industry is highly fragmented and any one project could include a dozen or two dozen different firms each doing a different piece of the construction puzzle. Files are transferred back and forth among all firms and that transfer must be quick and easy – and secure. Additionally, today’s contracts are demanding stricter cybersecurity principles including 24 hour breach notification, endpoint protection, multi-factor authentication, and more. A cybersecurity partner needs to be able to take each new project in stride, building a customized program protecting all endpoints, while being able to understand the speed and ease the AEC industry needs in transferring large files.
  3. Speed of Detection and Response: An effective cybersecurity approach needs to ingest endpoint, network, log, cloud, asset and vulnerability data that enables complete attack surface visibility 24 hours a day, seven days a week. We recently had a partner firm on a project infected with ransomware. Within the same day, our cybersecurity partner, eSentire, had a full report in hand. With a team of experts actively hunting for threats across the entire AEC environment, our mean time to containment (MTTC) is normally a mere 15 minutes, allowing work to stay on schedule. 
  4. Bringing Strong Relationships to the Table: Having pre-arranged relationships with top notch other security vendors is a critical component to a strong cybersecurity partner. With relationships in place, our cybersecurity firm (in our case eSentire) vouches for me and connects us with best in breed partners such as CrowdStrike, Microsoft and Sumo Logic without our team needing to do all the heavy lifting to fill in all the blanks of an Managed Detection and Response program.
  5. A Culture of Innovation: Take a hard look at a potential security partner’s culture of innovation. Do they win awards for innovation and do it with a spirit of humility? Are they always pushing forward? Are they constantly re-evaluating their own offerings and processes? What are they doing behind the scenes to bring forward innovative and timely threat intelligence and are they sharing it with the industry-at-large to improve outcomes for all? Threats are changing all the time and a partner should have a culture of change to keep up. 

With the right partner in place, the growing threat of cyberattacks on AEC projects can be effectively mitigated. Generally speaking, however, our industry needs to do a better job bringing a real-world cybersecurity perspective to each project, with an eye toward why certain designs can or cannot work. It’s critical we work within modern threat landscapes, while doing our best to not alter an artist’s design and vision. This means a robust cybersecurity plan and the ability to proactively detect, disrupt and remediate cyber threats anytime and anywhere. 

As an experienced leader in Information Technology operations, Michael Smith has a demonstrated history of fostering innovation within the Architecture & Engineering industry, leading high-performing teams to support and secure all enterprise infrastructure and endpoints. Skilled in operations and business process improvement, Michael has successfully grown within the sector and is currently the Vice President & Director of Information Technology Operations for HKS, an interdisciplinary global design firm that is on a mission to become one of the most influential firms in the AEC industry. Michael’s positive, humble and people-oriented perspectives foster alignment between the technology portfolio and the firm’s overall business objectives which translate into increased revenue and tangible enterprise value. 

Prior to HKS, Michael held key leadership roles for companies like Lockheed Martin, Carter & Burgess and most recently with engineering heavyweight Jacobs. Michael has law enforcement experience as a former Security Police Officer with the United States Air Force where he graduated from the USAF Law Enforcement Academy with Honors. Michael also holds an Associate’s Degree in Global Business Management.

Related Stories

K-12 Schools | Jan 25, 2023

As gun incidents grow, schools have beefed up security significantly in recent years

Recently released federal data shows that U.S. schools have significantly raised security measures in recent years. About two-thirds of public schools now control access to school grounds—not just the building—up from about half in the 2017-18 school year. 

Sponsored | Resiliency | Dec 14, 2022

Flood protection: What building owners need to know to protect their properties

This course from Walter P Moore examines numerous flood protection approaches and building owner needs before delving into the flood protection process. Determining the flood resilience of a property can provide a good understanding of risk associated costs.

Building Materials | Nov 2, 2022

Design for Freedom: Ending slavery and child labor in the global building materials sector

Sharon Prince, Founder and CEO of Grace Farms and Design for Freedom, discusses DFF's report on slavery and enforced child labor in building products and materials.

BAS and Security | Oct 19, 2022

The biggest cybersecurity threats in commercial real estate, and how to mitigate them

Coleman Wolf, Senior Security Systems Consultant with global engineering firm ESD, outlines the top-three cybersecurity threats to commercial and institutional building owners and property managers, and offers advice on how to deter and defend against hackers. 

Resiliency | Sep 30, 2022

Designing buildings for wildfire defensibility

Wold Architects and Engineers' Senior Planner Ryan Downs, AIA, talks about how to make structures and communities more fire-resistant.

Building Materials | Aug 3, 2022

Shawmut CEO Les Hiscoe on coping with a shaky supply chain in construction

BD+C's John Caulfield interviews Les Hiscoe, CEO of Shawmut Design and Construction, about how his firm keeps projects on schedule and budget in the face of shortages, delays, and price volatility.

Sponsored | BD+C University Course | May 10, 2022

Design guide for parapets: Safety, continuity, and the building code

This course covers design considerations for parapets. The modern parapet must provide fire protection, serve as a fall-protective guard, transition and protect the roof/facade interface, conceal rooftop equipment, and contribute to the aesthetic character of the building. 

Sponsored | Healthcare Facilities | May 3, 2022

Planning for hospital campus access that works for people

This course defines the elements of hospital campus access that are essential to promoting the efficient, stress-free movement of patients, staff, family, and visitors. Campus access elements include signage and wayfinding, parking facilities, transportation demand management, shuttle buses, curb access, valet parking management, roadways, and pedestrian walkways.

Sponsored | BD+C University Course | May 2, 2022

Multifamily security design tips from four certified security professionals

Four certified security professionals offer 38 tips on how to keep your next rental or condominium project as safe as possible. This course will discuss major security-related principles in the design and construction of multifamily projects. Discover measures to improve exterior and interior security measures.

Sponsored | BD+C University Course | Apr 1, 2022

Video surveillance systems for multifamily housing projects

This introductory course provides detailed technical information and advice from security expert Michael Silva, CPP, on designing a video surveillance system for multifamily housing communities – apartments, condominiums, townhouses, or senior living communities. Technical advice on choosing the right type of cameras and optimizing the exterior lighting for their use is offered.

boombox1 - default
boombox2 -
native1 -

More In Category

halfpage1 -

Most Popular Content

  1. 2021 Giants 400 Report
  2. Top 150 Architecture Firms for 2019
  3. 13 projects that represent the future of affordable housing
  4. Sagrada Familia completion date pushed back due to coronavirus
  5. Top 160 Architecture Firms 2021


Magazine Subscription

Get our Newsletters

Each day, our editors assemble the latest breaking industry news, hottest trends, and most relevant research, delivered to your inbox.


Follow BD+C: