Cybersecurity protections

From training your staff to making sure your firewall is up-to-date, it’s important that you take action to protect your firm’s data, your clients’ data, and your network from cyberattacks. Whether your firm is large or small, with all of the sensitive data AEC companies manage regarding our clients, our employees, and our businesses, cybersecurity protections are important to stay on top of. Recently, our firm’s management team members were targets of spear phishing (highly targeted form of phishing) campaigns. As one manager after another was targeted, we responded by further tightening up our IT protections. Here is our advice for key actions you can take to help protect your firm’s data and network.

1. Staff training. Your firm’s employees are the first line of defense in protecting your network. As such, it is important that they are educated about the increasingly sophisticated methods cyber criminals use to steal sensitive data. Your IT personnel can conduct the training, or you can utilize an external vendor. Our firm opted to use a virtual training consultant that provided education regarding three areas:
   1. Security awareness – Through this training, our staff learned to spot the red flags associated with social engineering cyberattacks and potential malware behaviors, in addition cybersecurity best practices. They were very surprised to learn the offline methods criminals will use to set up a cyberattack.
   2. Phishing – Phishing can be attempted in a variety of different formats, so we wanted our employees to have an in-depth understanding of this practice in order to better recognize its various types. The training covered the dozens of possible signs – which are not always immediately apparent – that an email is fraudulent.
   3. Staying safe while working remotely – Many of our employees travel to project sites and have to work remotely while on the road. In addition, with the COVID-19 pandemic, we had many of our staff working from home. The Working Remotely module covered practices such as ensuring internet connections are secure, using VPN, using a wired connection whenever possible, access protecting devices, and locking up/shredding sensitive documents.
2. Staff testing. We felt it wasn’t enough to simply provide staff training on cybersecurity – we wanted to ensure that they absorbed the lessons and had the corresponding increased vigilance. We worked with our training provider to set up test phishing attempts to check whether employees were able to recognize and avoid simulated cyberattacks. We were surprised that even after training, 12 percent of our employees still fell for these (fake) attempts. These staff members were then assigned further training. Over time, we’ve seen these incidences decrease. Practice makes perfect, or so those who fell for these told us.
3. Firewall upgrade. Like all technology, firewalls eventually become obsolete; however, it is prudent to upgrade your firewall before it is completely out-of-date/no longer has manufacturer support. In addition to training your staff on cybersecurity, one of the other best things you can do to protect your network security is utilize comprehensive, up-to-date firewall technology. The general stated best practice is to upgrade your firewall every three to five years; however, other triggers for a firewall upgrade include a change in your network requirements or if your firm experiences a significant growth spurt. In addition to upgrading your firewall as appropriate, it is also important to keep up with its updates, which are sometimes available as frequently as daily, to ensure you are protected from ever-changing vulnerabilities.

I recently read that 2019 was one of the worst years yet for attempted and successful cyberattacks, and 2020 is expected to have further increases in cyber criminal activity. As a firm, these stats are in line with our experience, as we continue to see increased attempts to breach our cybersecurity defenses. Fortunately, we have been able to prevent criminals gaining access to our data, with the measures outlined above being crucial. We urge our colleagues in the industry to take stock of your firm’s current cybersecurity protections and ensure they are as strong as they can be. Jeff Terschak is IT manager at R.E. Warner & Associates, Inc. Contact him at jterschak@rewarner.com.