4 Ways to Protect Your Firm from Cyber Attacks

As an architect or engineer, the mere idea of a cyber attack can result in paralyzing anxiety.

Pretending threats don’t exist at all may feel like the best decision.

Unfortunately, plenty of architects and engineers fall prey to cyber attacks, especially since the emergence of Covid-19 in March. With so many firms moving to home offices, ransomware attacks began to rise.

"When we talk about ransomware, it's basically a computer virus that infects your systems and changes your files on your file server or on your system so that you can't access it. It's called encryption,” said ArchIT CEO Boris Rapoport. 

"It basically makes a change to the files so that the information is encrypted and no longer accessible to a plain computer. In order to get access to that information, you need what is called a decryption key so you can decrypt the information."

Criminals encrypt the files to render them useless and then call the user to ask for a ransom. Depending on the size of the business, the ransom could be anywhere from $5,000 to millions of dollars.

"Paying the ransom doesn't always mean that you're going to get your files back," said Rapoport. "Actually, the hit rate is about 50-percent. So you can still pay, they may never send you the decryption key -- just basically lie to you -- or they can send you the decryption key but it's not going to work for everything."

Because there are so many variations of how the situation is handled by the criminals, the FBI actually tells businesses not to pay the ransom. 

Do I really have anything to worry about?

Will you really have to deal with a cyber attack? 

You’re a small firm. You don’t have any “sensitive” data. Why would anyone go after you?

Unfortunately, that way of thinking could get you in trouble.

"Many smaller firm owners are defaulting to the thought logic of, ‘Well, nobody's going to attack me because I'm just small,’ which is a fallacy,” said Rapoport. “Then another misconception is, ‘Hey, we're architects and engineers, we don't have any sensitive data,’ but it really doesn't matter if you have sensitive data or not. 

"If you can't access the data for seven days, (it’s lost revenue)."

Money isn’t the only thing that can be lost in a cyberattack. Reputation can also be damaged beyond repair.

"Depending on the clients you work with, (you could lose sensitive data)," said Rapoport. "If it's government contracts, it's probably sensitive. If it's a huge retail store, they don't want those drawings leaked to their competitors. They don't want their competitors to know where they're planning on opening new stores in, they don't want that to be on the internet. So that's sensitive to them and should be sensitive to you as well."

The truth is that 96-percent of small businesses that fall victim to a cyber attack close their doors within two years … many within six months.

"One of the more recent examples was a company in a biomedical field in the Bay area in San Francisco,” said Rapoport. “They got hit and they had financing; I think hundreds of millions of dollars from the VCs. They basically said all the data -- all the clinical trials we did -- all the research we had, is gone now. There's no way we can reproduce it or recover it. They just stopped the business."

Why are we susceptible to cyberattacks?

Why, in the first place, are we susceptible to attacks? As human beings, we are actually wired to trust as a means of survival in order to facilitate cooperation.

"That cooperation mechanism basically defaults us to trust strangers, and that's what the bad guys are exploiting,” said Rapoport. “I tell my clients, you have to switch your thinking. You have to think that every email that comes into your organization is bad. Should I open it? Is it from a person I know? 

"If we default to something (being) bad and then find ways to get it to good, it will make us safe. I know it's hard to switch the mindset, but it's what I try to get all my clients to do."

When it comes down to it, humans are actually the biggest liability when it comes to cyber attacks. It doesn’t matter how much technology is put into place, it’s an employee that is going to open an email or click on a link.

"They found that 97% of people are unable to distinguish a sophisticated phishing email from regular email," said Rapoport. "That means that no matter how much technology we can do, if that email goes through, most likely it’s going to get clicked on."

That’s both good news and bad news.

The bad news: we have to trust our employees to do the right thing when faced with a potential cyber attack.

The good news: we can train them to think differently and get out ahead of it.

"We can put as much technology in place to protect the business but in the end it's the employees who make the decisions," said Rapoport. "It's the people that work in your business that click on that link or not click on that link. Or go to that website or not go to the website. 

"So the first thing I think any business needs to do is train up their employees on keeping cyber security top of mind."

How to protect against cyber attacks

When you’re ready to be proactive against cyber attacks, make sure you’re looking at the following four things:

1. Make sure that endpoints are protected

Especially during social distancing and the increase in working from home, home computers connected to the company network must be protected with up-to-date antivirus software. 

"It will preferably be something that is centrally managed so we can - through a single pane of glass - see if computers are getting infected across our enterprise," said Rapoport.

2. Implement URL Filtering

While this can sometimes be a pain to the end user who has to go through IT to clear certain URLs that aren’t a threat, blocking bad sites is beneficial to the company as a whole. 

3. Patching

Patching keeps all computers up-to-date with the policies you have in place company-wide.

"Antivirus, URL filtering, and patching, that's going to be a very good start to being proactive in managing cyber security risk," said Rapoport.

4. Hire an expert

Last but certainly not least, hire an expert like ArchIT to oversee the process for you.

"We specialize in technology being a competitive advantage for architect and engineering design firms," said Rapoport. "We want you to understand that technology is not a bottleneck. Yes, it presents some risk, but in the end it's your competitive advantage. As long as you're staying proactive in managing your technology and strategic in making technology decisions, you're going to be far ahead of your competition."

To learn more about ArchIT, visit getArchIT.com.

About Zachary C. Waters, AAI

Zachary C. Waters began his own insurance firm with two goals: to simplify the complexities of professional liability insurance and to empower clients to be proactive about dealing with unpredictable, potentially severe events in their business. Working primarily with architectural firms, Waters provides an unconventional, modern approach to liability insurance. To learn more, send him a private message on LinkedIn.