A&E Cybersecurity Best Practices: 10 Tips to Reduce Risk & Protect Your Firm

Today’s Security Landscape

All organizations are targets for cybersecurity threats. There are bad actors across the world that are targeting not just your data but want to disrupt your business as well. In 2020, 6.95 million new phishing and scam pages were created, making it the most common tactic to get in, based on a report from the FBI. In addition, Ransomware attacks grew by more than 40% during the pandemic. According to study published on forconstructionpros.com, Architecture, Engineering and Construction (AEC) firms are more than twice as likely to suffer ransomware attacks than all other industries analyzed.

Ransomware is particularly dangerous as it has an impact on an organization’s ability to perform their core business, which can come to a grinding halt for days, weeks or longer. The average cost of a data breach increased 10% between 2020 and 2021, from $3.86 million to $4.24 million according to an IBM and Ponemon Study.

Common Business Challenges

Many organizations are not prepared. Attacks are quickly evolving so it's a nonstop race to stay ahead of the curve. Not only are you facing these complex threats, but you also have business challenges such as government regulations and requirements that are constantly changing and the continued move to a distributed and remote workforce.

In a recent webinar, Explore Architecture and Engineering Cybersecurity Best Practices, Deltek’s Vice President of Product Management for Cloud Security and Compliance, Chris Knight said, “There is an overall churn in the marketplace regarding digital transformation and moving to the cloud. All these challenges are causing organizations to not be able to prepare effectively.”

Chris believes that the shift toward the cloud is a necessity for all businesses for many reasons, including compliance and redundancy. Many organizations, including architecture and engineering firms, do not keep cybersecurity experts on staff, so they rely on their Cloud Service Provider (CSP) to take care of most of the common security standards needed to conduct their business. He recommends implementing a few best practices to protect data.

Tips on How to Reduce Risk in Your A&E Firm:

1. Segment your Network

There are many different ways that your organization uses your network, whether it be servers, business systems or laptops. One way to keep the network safe is to break up those uses into separate sections within your business so any threats can be isolated and contained. This limits the ability for malicious actors and viruses to move freely throughout your core business systems. You do not want a single, infected laptop to threaten or disrupt your whole network.

2. Implement Multifactor Authentication

Multi-factor Authentication (MFA) requires more than one credential to access your data. For instance, implementing MFA would require a user to provide both a password and a “token” such as a one-time passcode (OTP) that would be delivered to a trusted mobile device. Implement multifactor authentication wherever you can. Make sure it's not just at one place, but required for every system that you log into, every time, in every network and area to make sure that if there is a lost password, it doesn't end up completely compromising the system. If you follow this practice, you can make sure that if there's a breach with a third-party system, it doesn't negatively impact your organization.

3. Reduce Risk with User Training

It’s often said that employees are an organization's weakest link, because they are the greatest source of risk when it comes to cyber attacks. Employees spend a lot of time communicating via emails, so there’s a strong probability they might make mistakes such as clicking on a malicious link. Mistakes include visiting malicious websites or downloading a dangerous file attachment. It’s a constant battle, especially as the bad actors are getting better and more effective every day. As a best practice, continued training of your end users, your employees and vendors is really important. There needs to be constant reminders to question every communication and report suspected phishing emails, and to constantly think about security in the office, at home, and when they travel.

4. Ensure Layers of Backups & Redundancy

Ransomware is a type of malware that threatens to publish the victim's data or permanently block access to it unless a ransom (monetary fee) is paid. It is very disruptive because your organization's data is unavailable and you have to pay to get it back. Sometimes, even when you pay, you still don't get the data back. Having regular backups can help you recover data lost from a ransomware attack, however some malicious actors know this and wait long enough to activate their attack to ensure that the malware becomes part of previous data backups. It is highly recommended to have those (clean) backups offsite, to limit the impact in any network breach or loss of service.

5. Document Processes & Procedures

When creating documentation to detail best practices or to comply with government contracting requirements around your processes and procedures, it’s critical to illustrate how systems are supported and run as well as who is responsible for each procedure. If a key resource is no longer available, or even if you just want to improve a process, it becomes much harder to replicate that knowledge and capability when there is none or limited documentation. For cybersecurity compliance, business continuity and disaster recovery documentation is essential.

6. Log & Monitor

Practice proactive monitoring to ensure there are no anomalies within your system. With an effective logging and monitoring solution you will have the data you need to identify any active attacks but also the ability to determine how a cyber breach occurred, which is a critical part of the assessment process of an audit. A security information and event management (SIEM) solution provides breadcrumbs so that you can track the exact steps if your system is ever breached. The information provided helps to debug and aid in recovering from the attack.

7. Understand Your Data & Where it is Stored

Chris recommends that organizations understand what data they have and where it is in the organization, especially since some may have different protection requirements. Understanding how to protect data based on requirements is key. It allows the ability build up a control set, either based off of industry standards or a firm’s own best practices to make sure that there are a set of ground rules about standard behavior and best practices for certain types of data.

8. Understand Regulatory Protection Requirements

Organizations need to assess their business on a regular basis to ensure cybersecurity requirements or compliance requirements are met. Chris says, “There is a large shift to cloud across industries, as they lean on service providers that are already set up to meet security requirements. This allows companies to reduce their footprint so the company can focus on the core business and not worry about securing ERP system hardware, scaling servers and applying patches.”

9. Assess & Understand Your Capabilities

Keeping up with changing requirements, fast-moving threats and best practices requires the right resources and technology. Consider if your firm has the time and ability to continue to meet these challenges.

Chris says, “One of the things I see that organizations fall flat on most often is really being honest with themselves about their capabilities. Assessing your capabilities is key with cybersecurity because, it's not a one and done. It's a lifestyle.”

Most organizations need to invest in these capabilities continuously and sometimes find they need help, regardless of size or complexity. Often, they want other organizations to come in and take a look and provide their third-party opinion, or to help them solve a particular problem. There are managed service providers (MSPs) that can help and provide guidance to help them achieve their goals.

10. Engage Providers That Can Help You Meet Requirements

When hosting your business systems on-premises, the company is responsible for the network and hardware, and for upgrades to keep current. In addition, installing the operating systems and the applications with it, as well as patching and routine maintenance. It is a major challenge for organizations to effectively keep up with the necessary steps to proactively protect their business.

How Deltek Cloud Can Reduce Risk

The Deltek Cloud meets the demand for increased security, privacy and flexibility in today’s business world, providing a worry-free environment for your teams to focus on strategy and growth. Benefits include improved performance, best-in-class security, faster access to new features, along with the assurance of ongoing support as cloud technology evolves.

Deltek is dedicated to protecting data by ensuring our capabilities meet the constantly changing security landscape. Security is one of our highest priorities and is fundamental to the way we handle customer data. We are committed to keeping your information safe and secure through our strong security and privacy programs. Our products are built to enable our customers to meet their compliance needs, including role-based security, security groups, ability to mask data in the system, security-based configuration options, and more.