Mitigating cyber exposures

Nov 28, 2021

By adopting a zero-trust approach, AEC firms can strengthen their data security and their protection against occupational fraud and external cyber-related threats.

Among its numerous implications for AEC firms, the COVID-19 pandemic greatly accelerated the evolution of the workplace environment. What became obvious almost immediately was that traditional cybersecurity protocols couldn’t keep pace with the complexities posed by hybrid work, growing numbers of remote employees, and the dramatic expansion of cloud-based technology.

The speed with which these developments occurred quickly made traditional perimeter security ineffective and outdated. Today, many AEC firms need a new security model to safeguard their information and networks. Many are now turning to new “zero trust” models.

Zero-trust approaches embrace mobility and protect people, networks, applications, and devices, regardless of their location. What is it? How does it work? And why might it be a valuable approach for AEC firms that have changed their operational models to adapt to the new realities of the work environment? Here are some answers.

Traditional network security essentially “trusts” the identity and intentions of users within a firm’s structure. Unfortunately, this approach leaves it vulnerable to malicious internal actors and rogue credentials by allowing unauthorized and uncompromised access to the organization. The term “trust, but verify” typically describes traditional network security approaches.

On the other hand, the zero-trust approach removes the concept of trust from within an organization’s structure. With zero-trust, a data breach is assumed with every access request. Thus, every access request must be authenticated and authorized as though it originated from an open network. In contrast to traditional security measures, the concept “never trust, always verify” is emblematic of the zero-trust approach.

Thus, the zero-trust approach has become one of the most effective ways for organizations to control their network, applications, and data. This is especially important today, as AEC firms expand their technology and communication infrastructures to include cloud-based applications and servers. The growing use of locally hosted or virtual machines and software-as-a-service products, along with the increasing numbers of remote employees have made it difficult for organizations to secure their systems and data. Thus, implementing zero-trust approaches can provide a number of benefits, including:

  • Minimizing your firm’s “attack surface.” By granting the lowest level of access possible for users and devices to perform their essential functions, AEC firms can minimize the area within their enterprise that might conceivably be affected by a potential breach.
  • Improving audit and compliance visibility. The first step in implementing zero-trust is for a firm’s leadership or those responsible for information security to inventory all devices as well as the credentials associated with each device. In this way, all devices are maintained in an audit-ready state.
  • Reducing risk, complexity, and costs. All access requests should be carefully vetted prior to allowing access to any company assets or accounts. This dramatically increases real-time visibility within the firm and helps prevent costly data breaches.
  • Providing “Layer 7” threat prevention. Layer 7 refers to the application level of the Open Systems Interconnect model. This layer identifies communicating parties, supports end-user processes and applications, and consults privacy and user authentication. By establishing who can access different security levels within your firm at any given time, the zero-trust approach blocks unauthorized users or applications from accessing your crucial data and prevents unwanted exfiltration of sensitive information.
  • Simplifying granular user-access control. Zero trust requires a firm to define individual users who may access specific information, resources, or functional areas of the firm. As a rule, each user is granted the least privilege to perform their necessary functions.
  • Preventing lateral movement. Segmenting the network by identity, groups, and function allows the firm’s leadership to contain breaches and minimize damage from hackers who otherwise may have been able to move freely within the organization’s perimeter.

Using zero-trust to reduce cyber-vulnerabilities. By combining various preventative techniques, including identity verification, behavioral analysis, micro-segmentation, endpoint security, and least privilege controls, implementing a zero-trust approach can significantly reduce an AEC firm’s risk of becoming a data breach victim. Zero-trust relies on three principles:

  1. Verify explicitly. Every user request must be authenticated and authorized using all available data points. This helps ensure the person or application requesting access in fact is who they say they are.
  2. Use least privileged access. As mentioned, individual users should be granted the least amount of access necessary to perform their authorized functions. Just-in-time and just-enough access, risk-based adaptive policies, and data protection can all help secure data and user productivity.
  3. Assume breach. End-to-end encryption can prevent data from flowing to undesired endpoints. At the same time, using analytics can drive threat detection, improve visibility, and enhance defenses.

Implementing zero-trust. Zero-trust is relatively simple to deploy and doesn’t require the purchase of any costly products or services. AEC firms can use the following principles to implement zero-trust approaches with their enterprises:

  • Define the attack surface. To adopt a zero-trust framework, start by identifying your firm’s critical data, assets, applications, and services. This critical information forms a “protect surface,” which is unique to every organization.
  • Create a directory of assets. Determine where your firm’s sensitive information exists and who needs access to it. Know how many accounts there are and where they connect. Consider removing old accounts and enforcing mandatory password rotation.
  • Adopt preventative measures. Grant individual users the least amount of access necessary to do their work. Use multifactor authentication to verify accounts. Establish micro-perimeters to act as border control within the system and prevent unauthorized lateral movement.

By adopting a zero-trust approach, AEC firms will strengthen their data security and their protection against occupational fraud and external cyber-related threats. 

Jared Maxwell is vice president and partner of Ames & Gough. He is based in the Boston office and can be reached at

About Zweig Group

Zweig Group, three times on the Inc. 500/5000 list, is the industry leader and premiere authority in AEC firm management and marketing, the go-to source for data and research, and the leading provider of customized learning and training. Zweig Group exists to help AEC firms succeed in a complicated and challenging marketplace through services that include: Mergers & Acquisitions, Strategic Planning, Valuation, Executive Search, Board of Director Services, Ownership Transition, Marketing & Branding, and Business Development Training. The firm has offices in Dallas and Fayetteville, Arkansas.