How To Solve Cybersecurity Challenges For Your Architecture And Engineering Firm?
I’ve put together this blog post based on the feedback I got from the firms we work with in the industry and doing our own research. I feel this information could be helpful to other firms in the Architecture and Engineering community. Please provide feedback and comments at the end of this post.
Information Security and Cyber Threats
This is a challenge that has been facing Information Technology departments for years. Since the late 90s and the .COM boom, security was the top concern for many techies out there. However, we have seen a very rapid growth in security related incidents in the last few years. High profile corporations and government agencies alike have reported recent information security breaches, and think of how many have gone undetected or unreported. Gives me shivers just imagining it. These are entities that spend enormous amounts of money on security every year, and still can’t stop the bad guys from getting in. So where does that leave you?
I know what you are about to say, and I get this all the time “We are a small Architecture firm of 15 people, who would target us?” That is a very valid question, which has an equally valid answer. Most cyber criminals don’t think this way. To them this is a game and a challenge, or an opportunity to hone in their skills. They could break into your environment just to see who could do it faster, or to be mischievous. It may or may not prove easy for them, but in the end it will cost a lot of grieve for you and your business.
Fact of the day: It takes on average 48 hours to recover from a ransomware attack. (SentinelOne Study, 2016)
In addition as we move forward, the AEC industry will be challenged to safeguard its own data and systems. Due to recent high profile breaches, clients are incorporating security requirements into their contracts on a more regular basis.
How to face this challenge?
Change your thinking
When it comes to security it does not pay to be optimistic. Murphy’s law is a much mindset here. If something bad could happen, it probably will. The fact is: you have been attacked in the past (whether you know it or not), you will be attacked in the future, and you may be under an attack now. Now, try to ask the following questions of yourself and your IT department:
- How can we lower our risk of being compromised by an attacker?
- How can we increase visibility into our cyber security?
- When we get compromised, how do we detect, remediate and recover quickly?
I like the 80/20 rule, as it simply works. You know the one I’m talking about, right? Yes, that one: “20% of your effort lead to 80% of the results, and vice versa”. The following suggestions do not take much investment, but provide great results.
- Create and enforce a password policy – This is easily the most cost effective way to lower your security risks. Get your users to create complex passwords and change their passwords on regular basis. This is a best practice to use in your personal life as well. In fact more and more online services are pushing you to go in that direction. Here are some guidelines to get you started:
- Password complexity – Your passwords must have 3 of any of the 4 character groups (a, A, 1, #)
- Password length – Your password must be a minimum of 8 characters
- Password expiration – Your password should expire within 90 days or less
- Account Lock out – Accounts should lock out for 30 minutes, after 3 invalid login attempts
- Implement a Business Class Firewall – A business class firewall is a key to securing your network from the Internet. A properly configured firewall is over 80% effective in protecting your company from external threats and lowering the risk of exposure. Keep the following in mind when choosing you appliance.
- Get an appliance from a reputable vendor, who can provide 24×7 support and replacement
- Look for appliances that have “Next Generation” capabilities, for additional security visibility and monitoring that can be added as a service at a later time
- Look for a device that will provide proper internet performance based on your business needs
- Implement Business Class Antivirus – Not all antiviruses are created equal, in fact none are. Your antivirus protects your data from being infected and lost due to infection. When choosing your anti-virus pay attention:
- Your product should have central management and policy enforcing capabilities, preferably cloud based
- It should provide “zero day” threat protection
- It should have a very small installation footprint
- Educate your users – You can never underestimate the benefit of education, as long as the education is good. Conducting regularly scheduled training sessions, such as monthly lunch and learns is a great way to get your users engaged and aware. Follow these suggestions:
- Review your Information security policies with your staff, and make it a part of the new employee training
- Review and break down one latest security threat or breach that hit the newswire
- Encourage users to report any anomalies they notice in their electronic life
- Conduct a Security Assessment – How can you measure your exposure, if you don’t know where the risks are? You can’t. However, conducting a security assessment can tell you exactly where the risks are and provide additional recommendations for mitigating them and lowering your exposure to cyber threats.
Following these suggestions will take you a long way in keeping your company and data more secure, and you less worried about this piece of the business.
Trends and more in Your Inbox