If you’re not taking a proactive approach to your firm’s cybersecurity, this could be the year you decide to go out of business without realizing it.
Let’s time travel for a bit. Assume for a while that time travel is commercially available. Now let’s jump ahead and see what the roadkill in the next 10 years will be in the AEC industry.
As we look back and compare firms that are still in business now (2032) versus back then (2022), we will find that most of the decisions that caused those firms to go out of business were not made in grand fashion. Few will be able to point to a seminal moment and say, “If they had just chosen ‘a’ instead of ‘b,’ they would still be around.” The failures we see in 2032 are not the result of a singular bad decision. Looking back, we will find that most of the failures were the result of a mindset rooted five to eight years prior to 2022.
2022 was a year where most businesses in the Midwest were still trying to live with their “doors unlocked” because “that’s just how we do business.” It was a year when most leaders walked around with an intentional de-emphasis on any type of cybersecurity threat. It was a year when IT spend was still viewed as an expense and not an investment. It was a year when most leaders or founders of any given firm were convinced they had a shield around them that protected them from cyber criminals because “they don’t even know we exist.”
Boy were they wrong.
Looking back, we see that 2022 was the year things changed. It was the year that business leaders and firm owners learned at least three important lessons the hard way:
- Being unknown or small does not equal safe. Most businesses that went out of business between 2022 and 2032 did so as the result of the flawed thinking that being unknown provided a heat shield from cybercrime. Some firms went out of business early (2022-2024) because they were introduced to ransomware. They were locked out of all their files, and in some cases, client files were posted on the dark web (violating their nondisclosure agreements with their clients – who subsequently sued). For the early departures, the deaths were quick and painful. For those who were able to get some form of their files back, there was always the threat of the ransomware exploding again. (Incidentally, if you read the substance of No. 1 and are not quite sure what we’re talking about, you are at risk of being one of those early departures.)
- Data is oil and has value. Those who went out of business over that 10-year period had another common misperception – they did not understand the value of data. As early as 2004, data was becoming the new “oil” of the economy. It had inherent value and increased in value the more it was refined. It became a bargaining chip of sorts. For the cyber criminals who were able to get into a firm’s systems, they were able to hold all the cards. They either took the data hostage, or in some cases they committed industrial theft and shared designs and intellectual property. Over time, some firms realized that they had been compromised for years with bad actors sifting through files and stealing valuable client data. Some cybercriminals even made money selling one firm’s designs and intellectual property to competing firms.
- Underspending helped many firms save their way to the ash heap of history. Business leaders often get angry about any sort of IT spend. We are not sure why, but 2020-2022 were interesting years. Those were the years when business leaders gravitated toward a mindset borne from a false premise: If I can buy technology at BestBuy or Sam’s or Costco, why should I pay so much to have someone manage it? Looking back 10 years at 2022 and the years in-between, we have learned that saving money on hardware or software packages does nothing to develop strategy. It was during those years when most were happy if IT just worked. What they didn’t see is what eventually killed them.
Welcome back. Now, let’s travel back to present-day. What do you do? The stars are aligned for a lot of good AEC firms to go out of business in the next 10 years all because of an erroneous mindset. Will you do anything differently?
Here is what you face in one quick list:
- If you can afford your cybersecurity policy renewal this year, you will not be able to afford it next year (and it won’t be worth the money – your coverage will drop to a paltry amount). With that backstop gone, how will you operate?
- The “IT person” you hired may be great at networking, but are they great at cybersecurity? IT as a function has grown a lot of different disciplines – so saying “we’ll hire an IT person to handle it” sounds about as silly as building a hospital and saying “we’ll hire a doctor.”
- Cybercrime is exponential not incremental. This is where most long-time business leaders have trouble computing the reality of today’s world. We often think of crime as linear: one person can break into one thing at a time. Cybercrime is exponential: one person can break into thousands of places at one time, drain all their data or funds, and have it all routed to places you cannot find within milliseconds.
- The greatest threat is your greatest asset – your people. We all know people make the difference. Finding and keeping good employees is a strategic advantage – but few if any AEC companies are asking questions during interviews to uncover if a candidate has any type of security mindset. When your people click the wrong link, or wire money to what looks like a perfectly legitimate bank account, your asset becomes your liability. Remember – people do not become more secure just because they come to work.
- The price to secure your business is based on expertise, not your budget. Addressing the threat is all about mindset and accepting that you can no longer view IT and cybersecurity as an expense to be controlled and diminished over time. Smart firms will accept that this will be a long-term investment that will grow each year and be designed to protect strategic assets.
Is your head spinning yet? You are not alone. Nobody wants running a business to be this way. It is digital Darwinism at its finest and it is something you will have to address with a plan. How will you start?
Perhaps the best place to start is with a conversation. Edafio Technologies will be facilitating an educational breakout session at Zweig Group’s ElevateAEC Conference called “Naked and Afraid: That point when you realize your business really is a target for cybercrime.” This is a session designed to equip AEC business leaders with the start of a cybersecurity playbook you can build-out for your own business. We hope you will join us, because now is the time to make sure you are not one of the epitaphs we read in 2032.
Mark Hodges is chief growth officer at Edafio Technology Partners. Contact him at mhodges@edafio.com.
