Filed Under:Agent Broker, Sales & Marketing

Cyber crime: How architects, engineers and contractors may be at risk

Architects, engineers and contractors all face increased risk of cyber attacks. (Photo: Shutterstock)
Architects, engineers and contractors all face increased risk of cyber attacks. (Photo: Shutterstock)

Cyber breaches are big news. Large corporations get hacked with alarming frequency, and hundreds of thousands of consumers are vulnerable. You may not think your architectural, engineering or contracting firm is at risk, but that is simply not the case.

Building information modelling (BIM) and computer-aided design (CAD) are in widespread use. These tools, while they improve efficiency and quality, also increase the risk of a cyber-attack. There have been well-publicized cyber-attacks on solar panel installation contractors, HVAC contractors, manufacturers and retailers of building products, fence contractors, and many other firms across the industry.

Customer information, intellectual property and your firm’s financial information are all at risk. Social engineering and phishing scams can defraud your company of thousands of dollars. Your firm could experience damage to your reputation, business interruption or construction delays, and lawsuits by affected clients.

Small businesses are increasingly at risk

Large corporations are not the only ones affected. According to international cyber security and anti-virus provider Kaspersky Lab, small businesses faced eight times more ransomware attacks in the third quarter of 2016 than in the same quarter last year. The average cost of a cyber-attack on a small business is $690,000, according to Ponemon Institute. Notably, the National Cyber Security Alliance found that 60 percent of small businesses close their doors within six months of a cyber-attack.

There are steps you can take to help keep your customer and company data safe. Enact these policies to prevent data breaches and protect yourself.

Security essentials

  • Open-access Wi-Fi networks (those without passwords) are prime targets for scammers. Make sure your network is password-protected.
  • When logging into email or other secure sites, make sure the URL starts with https://. This indicates a secure site. A site that starts with http:// (no ‘s’) is not secure.
  • When you’re using your computer or tablet in a public space, shield your login screen and other sensitive content from prying eyes.
  • Don’t leave your laptop, tablet or phone unattended where someone can grab it and all the data it contains.
  • Disable the automatic check-in feature of your phone. This feature can reveal personal habits and sensitive information.
  • Don’t give strangers without proper credentials access to secure areas in your building.
  • Lock your computer when you leave your office, desk or work station.
  • When you’re sending a confidential document to a colleague or client, encrypt it before you email it. Then email the encryption password in a separate email. This is safer than uploading it to a password-protected cloud sharing app, or mailing a CD.
  • When possible, use a corporate VPN to establish remote connections to business systems.
  • Make sure your firewalls are regularly updated with the latest security patches.

Email security

  • If you receive an unsolicited email, verify its authenticity. Company logos are easily copied by scammers, so don’t assume that a logo means an email is from the company it purports to be from.
  • Reputable companies generally don’t use public email services like Gmail and Yahoo, so emails from these domains should be carefully scrutinized.
  • Beware of requests to supply or “verify” account numbers or sensitive information.
  • Don’t click on links in unsolicited emails. If you think the message is legitimate, go to the company’s website and log in from there.

Social engineering

Social engineering attacks pose a significant threat to data and systems. These are attacks in which scammers trick people into giving them access to sensitive information. Rather than breaking into your network, these scammers will try to get you to hand over the information willingly by making you think they’re someone they’re not.

Here’s what you need to know about these kinds of attacks:

  • Fraudulent communications like phishing emails and smishing (fake SMS or text messages) trick users into clicking on links that can infect their computers with viruses or activate bots that collect sensitive information. Don’t click on a link unless you are absolutely certain the message is legitimate.
  • Social engineers troll social networks to learn personal information and details and then use this information to try to hack into their accounts.
  • Common social engineering tactics include:
    • Strange links in posts
    • Unexpected popups
    • Pirated media with embedded malware
    • Messages offering rewards for contests you did not enter
    • Fake social media profiles, pages or groups
    • Apps or games requesting access to your profile information

Social engineering attacks can also happen over the phone, with a caller requesting sensitive data, or in person by a contracted employee trying to gain access to your network.

Mobile device safety

  • Four-digit PINs are relatively easy to break, especially if they are birthdays or anniversaries. Use a six-digit PIN instead. Fingerprint trails can reveal swipe patterns, so use a complex swipe pattern and clean your screen regularly. Alphanumeric passwords and fingerprint IDs are more secure.
  • Back up your device to a computer or cloud service. Use encrypted backup options for added security.
  • Consider an app that wipes the contents of your device if it is ever lost or stolen.
  • Turn off your camera’s geotagging function, as it gives scammers information about your location.
  • Be careful when connecting to Bluetooth with your mobile device as you may be giving those nearby access to your device when you connect.


  • Verify that your business liability insurance policy includes coverage for breaches of corporate confidential information.
  • Purchase a policy that affirmatively covers funds stolen from your customers’ bank accounts.
  • Make sure your policy has a limit of at least $2 million in the aggregate for privacy breach costs.

If you use a phone app for mobile time tracking, work on system design or installation for smart building, or collect data or stream from drones, you could be putting your company at risk. Professionals in the construction industry are as susceptible as anyone else to cyber-attacks. Know how to protect yourself and talk to your employees about this growing threat. Taking these precautions will help reduce your risk of becoming a victim of a cyber-attack.

Related: Data obstacles hamper cyber insurance growth

Daniel Gmelin is the National Architects and Engineers Product Head at Hiscox, the international specialist insurer. He can be reached at


10 ways small businesses can fight cyber crime

Insurance agents can help their small-business clients by helping them assess their cyber risks and advising on policies.

Featured Video

Most Recent Videos

Video Library ››

Top Story

6 behaviors that could spawn a sexual harassment lawsuit

Sexual harassment scandals loom large among the events that shaped 2017.

Top Story

2017's 10 most hazardous toys

The Boston-based nonprofit World Against Toys Causing Harm, Inc. (W.A.T.C.H.) has released its annual list of the 10 worst toys of 2017.

More Resources


eNewsletter Sign Up

Agent & Broker Insider eNewsletter

Proven success tips and essential information to help agents and brokers grow their practice – FREE. Sign Up Now!

Mobile Phone

Advertisement. Closing in 15 seconds.