IT Security 101 for Architecture Firms

  • March 04, 2019
  • |
  • Posted by Kevin Gemeroy

One of the most common issues we see with potential clients is a lack of focus on the basics of IT security. We get it. Security is a pain in the butt.  But chances are that you’ve got a lock on the door to your office and probably an alarm as well.  It’s likely monitored 24x7 to make sure that the police show up if someone tries to break in.  You need at least an equivalent level of security for your company’s IT systems.

At Dynamic Computing, our clients range from just a few employees to a few hundred. We specialize in managing IT for architecture firms in the Seattle area, and they make up a sizeable chunk of our client base. While the level of sophistication of IT systems and operations vary widely from firm to firm, the level of security needed really doesn’t. 

Believe it or not, the data you store on your systems is more sensitive than you might have thought. While architectural plans don’t typically rank on the same level as PHI (private health information) from a security perspective, chances are that if you specialize in single-family residences or commercial projects, your client may very well be a security target. Whether they’re software engineers, CEOs, doctors, or lawyers, there are dozens of people who might wish your clients harm. Your firm’s CAD drawings include the locations of mechanical or security rooms in your clients homes or the IT or file storage rooms in important commercial buildings. As a result, you need to protect your firm’s systems so that you’re not the conduit for a larger security breach. If you don’t believe us, read this WSJ article on how the US power grid was hacked by infecting the small contractors that worked on it. 

Here are some basics that every business needs at every location.  If you can't check off every box on this list, it’s time to call in the pros for an IT security audit.

Commercial-grade firewalls. By commercial-grade, we mean one that’s engineered for a business of your size.  It’ll likely be manufactured by a IT security company such as WatchGuard, SonicWall, Cisco, or Sophos.  It needs to be updated regularly. The device usually doesn't do this automatically – someone has to pay attention to it. And it should bemonitored to ensure that someone knows what type of activity is happening on your system.  It's also important to know that your ISP’s modem or router doesn't meet this standard. You need something far more powerful than the inexpensive options they provide to their customers.

Centrally-managed endpoint security software.  This is otherwise known as Anti-Virus or Anti-Malware software.  The type and brand of software itself is actually less important than the central management piece, believe it or not.  While there are a variety of options when it comes to endpoint security and some are definitely better than others, the most important thing is that all of your users’ devices are kept on a current version of the software with updated definitions, and that threats are dealt with centrally by IT rather than being left to each user to self-report.

Enterprise-grade data protection.  This includes permissioning and encrypting sensitive data and devices.  If a laptop gets lost or stolen, the last thing you want to hear is that an Excel spreadsheet was left on there with names, addresses - or even worse - social security numbers or payroll info.  Aside from being required to disclose the breach to the authorities, you’ve also breached your employees’ or clients' privacy and trust.  Furthermore, information like this needs to be restricted via security group-level permissions to prevent someone from accidentally getting into it in the first place.

Centralized user management. We’re seeing this problem more and more as companies take a cloud-first approach to computing.  Especially inside of tech companies and startups where the use of Macs and cloud-based file sharing are the norm, it’s important that every device connects to a central user database and the file sharing system is a business version that’s setup to prevent everyone from getting into everything.  Microsoft’s Azure AD is a great and inexpensive cloud-based solution that can help address this issue. We find that as enterprise-grade solutions like Dropbox Business also work well.

E-mail/Web Filtering. If the DNC can get hacked via an e-mail phishing scam, your business can too.  In fact, phishing attacks are one of the most common ways the bad guys get into a system in any size of organization.  There are a number of layers to this including firewall-based filtering, anti-spam software with reputation blocking, and link/attachment filtering, all of which are critical security measures to implement.

User Education. We’re saving the most important for last.  Your users need to be trained on how to look for attempts to compromise their credentials.  The most common mistake people make is using the same password for the company’s system as they use for their personal accounts.  Even if your security is top-notch, if the CFO’s credentials are compromised because he used the same password as his (previously hacked) Yahoo account, you're still up the creek without a paddle. For most top executives, there’s a very good chance that your name, e-mail address, and password have been floating the dark web for years and no less than a few hundred bad guys already have it. 

Finally and most importantly, you need a pro handling this stuff for your business.  That pro is probably not your internal IT guy.  It’s rarely an outsourced IT shop with less than ten employees, and it definitely shouldn’t be your friend who works at a big tech company.  If you’re relying on advice that you’re not paying the going rates for, it’s probably about as good as your golf buddy’s tax tips.

 

How do you manage IT security for your architecture firm?

Drop us a line at hello@dyncomputing.com to start a conversation about IT security and how we can help.

 

A little about us:  Dynamic Computing provides managed IT services, IT support, IT consulting, & cyber security services to top performing small to mid-sized businesses in the greater Seattle area.  We're focused on being the premier managed IT services firm in the Pacific Northwest, and we act as a complete IT solution for companies who don't have internal IT departments.  Our clients typically range from 10 to 200 employees and we work primarily with professional services firms in the Puget Sound Region.

About the author:  Kevin Gemeroy is the President & CEO of Dynamic Computing, a company he founded while in Business School at the University of Washington.  He's was recognized as a 40 under 40 honoree by the Puget Sound Business Journal in 2018 and as Washington State's Mr. Future Business Leader by FBLA in 1998.  He resides in Seattle, Washington.

 

Making IT Work For You