In 1936, our firm’s founder Daniel Mead published The Engineer and His Code, establishing a framework for ethical engineering that has guided our firm for nearly a century. In his publication, he argued that an engineer’s fundamental duty was to the community, ensuring every project rested on a foundation of integrity, safety, and value.
Fast-forward to today, what does that foundation look like? It’s no longer built on just steel and concrete. In our world of smart buildings, cloud-based collaboration, and interconnected job sites, every project also rests on a digital foundation. A failure in this unseen layer—such as a data breach leaking sensitive blueprints, a fraudulent payment transfer, or a ransomware attack—can be as disastrous as any structural defect. For modern architects, engineers, planners, and construction managers, the ethical duty of care has expanded. Securing our projects’ digital assets is a core professional responsibility.
The New Job Site – Where Digital Risk Meets Physical Reality
Too often, the Architecture, Engineering, and Construction (AEC) industry has treated cybersecurity as an afterthought, more like a coat of paint applied after the structure is complete. As noted in a Construction Seyt article on cyber risk, our risk management has rightly focused on the tangible: site safety, supply chain logistics, and contract disputes. But this has created a concerning blind spot.
The statistics are staggering:
- ConstructConnect reports that data breaches in the construction sector surged by 800% in a single year.
- Gallagher Insurance found that over 75% of AEC firms experienced a cyber-incident in the last 12 months.
These types of incidents can severely disrupt projects. Research from Capitol Technology University shows that when cybercriminals deploy ransomware, the average project downtime is about 15 days—a delay that can significantly impact schedules and trigger substantial penalties.
The threat becomes even more visceral when we consider the convergence of Information Technology (IT) and Operational Technology (OT). OT systems—the digital brains controlling HVAC in hospitals, access controls in secure facilities, or purification systems in water treatment plants—were once isolated from one another.
Today, these systems are connected to the internet for efficiency and remote monitoring, creating a direct pathway from a hacker’s keyboard to physical infrastructure. A clever phishing email has the potential to shut down a building’s ventilation or compromise its safety systems.
In this new reality, cybersecurity has become an integral part of project development. Below are three foundational pillars organizations can build into every project starting today.
Pillar 1: Multi-Factor Authentication – The Digital Job Site Gate
Think of your project’s digital access points—email, cloud storage, management software—as the gates to your job site. A password alone is like a single key that can be easily lost, stolen, or copied. Should an unauthorized person gain access to that password, they could do serious damage.
Multifactor authentication (MFA) is the equivalent of requiring both a keycard and a PIN to enter. According to the National Institute of Standards and Technology (NIST), MFA adds a second layer of proof, such as a one-time code sent to your phone. Microsoft’s security research shows that enabling MFA blocks 99% of automated hacking attacks. A remarkably simple step with massive impact.
Organizational Action Plan:
- Require MFA on all critical platforms, starting with email and any cloud-based file-sharing service where blueprints, contracts, and client data are stored.
- Make MFA a non-negotiable standard for your team.
Pillar 2: Third-Party Risk – Vetting Your Digital Subcontractors
On any project, the general contractor is responsible for the quality and safety of every subcontractor brought on site. No electrical subcontractor would be hired without verifying their license, insurance, and safety record. Apply the same due diligence to digital subcontractors, including software vendors, cloud providers, and external consultants who handle or manage project data.
A vulnerability in a subcontractor’s digital assets can create an unsuspecting gateway into your network. If your vendor is breached, the legal, financial, and reputational fallout may land on your organization.
Organizational Action Plan:
- Integrate basic security vetting into procurement. Ask:
- Do you enforce MFA for all employees?
- Can you provide a recent security audit, like a SOC 2 report?
- What’s your breach notification process?
- Include cybersecurity requirements in contracts, just as you would for insurance and safety compliance.
Pillar 3: Incident Response Plan – The Emergency Action Plan
Every well-run construction site has an Emergency Action Plan for safety incidents, such as fires or chemical spills. You don’t hope for these events, but you plan for them. Apply the same logic to the digital world with a Cyber Incident Response (IR) Plan. An IR plan outlines how to detect, contain, and recover from cyberattacks.
Organizational Action Plan:
Start simple. Answer these four questions with your team:
- Who do we call? Identify key contacts (IT, leadership, legal, cyber insurance).
- How do we contain it? First steps to stop the bleeding, like disconnecting an affected machine.
- How do we communicate? Protocol for informing leadership, employees, and clients.
- How do we recover? Steps to restore systems and data from backups.
From Afterthought to Forethought
The goal isn’t to turn architects and engineers into cybersecurity experts. It’s to empower you to ask the right questions at the beginning of a project—not after a breach.
Here’s a simple step: add a “Cybersecurity Pre-Mortem” to every project kickoff. Spend 15 minutes imagining a catastrophic cyber incident and work backward to identify weak points. This exercise builds resilience from day one.
Daniel Mead’s vision of ethical engineering was about building things that last. In the 21st century, that means building projects resilient in both the physical and digital worlds. By weaving these cybersecurity principles into project management, we go beyond managing risk. We uphold a timeless professional duty.
