From generative AI and BIM to cloud-based collaboration tools and smart construction platforms, technology is reshaping how built environment projects are designed, engineered and delivered.
Yet, while innovation is accelerating, many architecture, engineering and construction (AEC) firms are still grappling with legacy IT infrastructures that have evolved over time, often without a cohesive, long-term digital strategy.
This fragmented approach is leaving organizations vulnerable to cyber threats. Although client satisfaction, design excellence and project delivery are top priorities for firms, the digital foundations that support these outcomes, including cybersecurity, are frequently under-resourced or overlooked.
As cyber threats grow in scale and sophistication, how can AEC firms build the resilience needed to protect their operations and reputations? And what role does embedding internet security into organizational culture play in achieving that goal?
Director of Digital Transformation at Creative ITC.
A growing threat landscape
Cyber attacks are no longer hypothetical risks. They are a daily reality. As geopolitical tensions rise and cybercrime becomes increasingly organized, AEC firms are being targeted more frequently. Recent research indicates that one in eight ransomware attacks now target the AEC industry.
These attacks are not only more frequent but also more sophisticated, leveraging the likes of Ransomware-as-a-Service (RaaS) models, social engineering and man-in-the-middle methods to bypass traditional security measures.
Threat actors are adapting quickly, exploiting vulnerabilities in outdated systems and targeting firms with limited cybersecurity resources. AEC organizations are ripe for targeting due to their reliance on legacy systems, complicated hybrid IT infrastructure, and complex supply chains – factors that collectively increase their exposure to cyber risk.
Alongside this, small to mid-sized practices often lack dedicated cybersecurity teams, which places pressure on overstretched IT departments.
They’re juggling responsibilities from managing network infrastructure to overseeing software licensing, leaving little capacity for proactive cybersecurity measures. This oversight can have serious consequences for organizations if breaches go undetected or unaddressed.
Technology alone isn’t enough
While technical solutions like those outlined in Cyber Essentials and Cyber Essentials Plus offer valuable guidance guard against cyber-attacks, they represent just one part of a broader cybersecurity strategy. Tools such as firewalls, antivirus software and multi-factor authentication (MFA) are commonly adopted as best practice measures to protect systems and data.
However, in the AEC industry, where complex collaborative project environments are the norm, these solutions must be supported by strong governance and a culture of awareness to ensure they are used effectively and consistently across organizations.
Leaders must understand that cybersecurity is not just an IT issue, it’s a business imperative. AEC firms routinely operate critical national infrastructure projects, handle sensitive client data, need to protect their intellectual property and manage large-scale financial transactions.
The consequences of a breach can be devastating - from project delays and facility downtime to reputational damage and substantial fines from bodies such as the Information Commissioner’s Office (ICO) if the loss of personal data is involved.
Operational resilience through best practices
In addition to deploying the right technologies and tools, AEC firms must implement practical cybersecurity processes to enhance their defenses. These include IT teams building robust backup and data recovery processes to ensure data integrity and restoration of systems in the event of an attack.
Ensuring timely patch management and updates protect against known vulnerabilities, while enforcing access controls and strong MFA is also essential to limit exposure and prevent unauthorized access.
It’s also important to stay informed about the evolving threat landscape through threat intelligence sources such as the UK’s National Cyber Security Centre (NCSC). These practices protect against external threats and enhance operational resilience, ensuring that projects can continue even in the face of disruption.
The foundation of cyber resilience: Governance
Technical measures are essential, but without strong governance and a culture of cybersecurity awareness, they are unlikely to be effective. Governance provides the structure and accountability necessary to integrate cybersecurity into an organization's fabric. It ensures that policies are not only created but also understood, enforced and regularly reviewed.
For AEC firms, effective governance involves defining clear roles and responsibilities across departments and project teams, establishing incident response protocols to minimize disruption in the event of an attack and aligning cybersecurity with broader business objectives to ensure they support rather than hinder project delivery.
It also requires organizations to regularly audit and update policies to keep pace with evolving threats and emerging technologies.
Governance also helps bridge the gap between leadership, operational and technical teams. When cybersecurity is supported at the executive level, it becomes a strategic priority. Embedding cybersecurity into the organizational culture requires visible leadership buy-in.
When executives model secure behavior and actively promote cyber awareness, it sets a clear tone from the top and drives accountability across the entire firm.
Building a culture of cyber awareness
Cybersecurity is a shared responsibility in any organization, and in the AEC industry, collaboration is key to every project.
Architects, engineers, contractors and consultants work across various platforms, share files and communicate across teams, organizations and geographies every day. This interconnectedness, while essential for productivity, also creates vulnerabilities.
Human error remains one of the leading causes of data breaches. Phishing emails disguised as project updates, malicious attachments posing as client feedback and fraudulent login requests are common tactics used by attackers.
Without proper, regular training, even the most experienced and vigilant employees can fall victim to attacks.
To mitigate these risks, AEC firms must implement a combination of strategic policies and cultural shifts. This includes establishing clear internal policies that guide secure behavior across platforms and devices, ensuring that all employees understand and follow best practices.
Open communication channels should be maintained to encourage the reporting of suspicious activity or potential breaches without fear of reprisal.
Regular cybersecurity training tailored to all roles and responsibilities is essential to keep staff informed and alert. Most importantly, fostering a prevention-first mindset empowers employees to act proactively rather than reactively, creating a more resilient and security-conscious organization.
Cybersecurity as a strategic business priority
Ultimately, cybersecurity must be elevated from a background IT function to a core business priority.
While trust and reputation are vital across all industries, they are especially critical in the AEC sectors, where firms are entrusted with sensitive client data, high-value intellectual property, and the delivery of complex, high-stakes projects. The risks of being targeted by a cyber attack are too high to ignore.
By investing in governance, fostering a culture of awareness and implementing robust technical controls, AEC firms can build a cyber-first foundation that protects assets, provides a safe and secure environment for innovation, and ensures long-term success.
Educate yourself with the best online cybersecurity courses.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.