Case Study: Architecture and Design Firms
Category
Case Study
A common problem in cybersecurity is the normalcy bias - where people underestimate both the likelihood of a disaster and its possible effects, because they believe that things will always continue to work the way they have normally worked. It is estimated that 70% of people suffer from this bias.
It shouldn’t come as a surprise then that 66% of executives at small businesses still believe they’re unlikely to be the victim of a cyber attack, yet 43% of cyber attacks are aimed at small businesses. With the average cost of a cyber incident now sitting at $200,000 for small businesses, it’s time to ACT and not react.
For this ACT post, we’re going to look at a case study for one industry that has seen a high uptick in cyber incidents: the architecture and design industry.
The Industry
The architecture and design industry focuses on the construction of buildings and other similar structures. It often interfaces with civil engineering and play an important role in designing structures for all kinds of purposes. Architecture also has a historical significance as well, where a structure’s architectural style is often used by historians to identify the time period of its creation.
Professionals in the industry will take into consideration things like aesthetics, environmental impact, building function, social concerns, energy and resource efficiency, sustainability, and technical advancement when designing a structure. They may also specialize in supporting tasks like cost estimation, construction administration, and scheduling, as well as building material coordination and manipulation. Architects and architectural designers will also use drawings to draft their building plans, though these drawings are now often computer-generated through computer-aided design and drafting, also known as CAD or CADD.
Why are Architecture and Design Firms Targeted?
Many organizations have similar back office functions that help them run. These include activities like payroll, HR support, accounting, and purchasing. Since these are not unique to architecture and design firms, we will not explore them deeper here, though they bring their own host of problems. Instead, we’ll focus on a number of significant items that make architecture and design firms susceptible to a cyber incident:
RENDERING SERVERS
Architecture and design firms rely heavily on CAD/CADD to design their work. Long gone are the days of paper and drafting tables, as firms seek to create immersive experiences for their clients. This can even include employing virtual reality (VR) headsets for a one-of-a-kind tour. To turn ideas into a picture, 3D rendering, or a VR tour, rendering servers are becoming more common in architecture and design offices.
These servers are packed full of graphics processing units, or GPUs for short. These powerhouses can offload the heavy computing work necessary to bring a design to life from an employee’s computer, and instead handle it on a dedicated server. Unfortunately, this same methodology is employed for other activities like mining cryptocurrency. While we won’t get into the specifics of cryptomining, for a hacker, these rendering servers are a Ferrari sitting in a garage waiting to be taken for a spin. And if it breaks while they’re using it, they don’t own it anyways! This can be a massive headache for a firm that relies heavily on rendering servers.
EXTERNAL SHARING
Architecture and design firms also share and exchange information with a number of external organizations. These usually include clients, construction companies, or other architecture firms, but the exchange is usually facilitated the same way: a sharing portal. If the sharing portal is misconfigured or uses an insecure technology, like FTP, it becomes a wide open door to hackers. They can use the portal to enter the IT network of the firm, and then cause all manner of problems from ransomware, to stealing information. What normally helps the firm stay connected with clients and associates to share drawings can quickly become a hindrance to just doing business.
LOST TIME/ PRODUCTIVITY/ REPUTATION
When an architecture and design firm is working on a project, and find themselves on a tight deadline with lots of moving parts, what would happen if all of its work was suddenly unavailable? What if it was locked down with ransomware? Or if the files were deleted, causing the project to be delayed indefinitely and forcing the client to have to reschedule their move-in plans? Or what if a bid for a project was stolen and shared with another firm who used it to outbid?
Losing time, productivity, or damaging the firm’s reputation can happen quickly and often times easily. A phishing email that someone clicks on, a weak password, or a misconfigured sharing portal like the one mentioned above could be the starting point of a cyber attack. Any of these could cause huge delays costing the firm millions of dollars in current or future work.
What can be done?
Lots! By identifying and remediating vulnerabilities on your IT network, including misconfigurations, you can prevent lost time, productivity, and damage to your firm’s hard earned reputation. If you want to know more about your firm’s current cybersecurity posture, and how Hive Systems has helped other architecture and design firms improve theirs, let’s talk about our Vulnerability Assessment. And if you’re ready to find out more about cybersecurity, click below to start the conversation.