Greg Bishop, Director of Digital Transformation at Creative ITC
Architecture firms are navigating increasingly complex IT infrastructures that have evolved over many years, often without a long-term digital strategy. While technologies, such as Gen-AI, now play a key role in design collaboration and project delivery, client experience and design excellence remain the core focuses for architects – and understandably so.
However, supporting IT infrastructure and networking have often been neglected and, in the case of cybersecurity, this is leaving many firms vulnerable to growing and sophisticated cyber threats.
As geo-political tensions rise, cyber risks are a 24/7 reality with AEC firms suffering 1 in 8 ransomware attacks. Threat actors are adapting to changing cybersecurity defences, using evolving Ransomware-as-a-Service models, and sophisticated social engineering, intrusion and business email compromise techniques to bypass basic security measures. These tactics are becoming harder to detect and stop, putting significant pressure on already overstretched IT teams and leadership, especially in practices where dedicated cybersecurity resources are limited.
While technical solutions, such as those outlined in Cyber Essentials and Cyber Essentials Plus are crucial, technology alone isn’t enough. For architecture firms to achieve true cyber resilience, strong governance and a cultural shift towards proactive prevention are required.
Beyond technology: The need for governance
Governance provides the framework for consistent, organisation-wide cybersecurity practices, ensuring policies are understood, enforced and regularly reviewed. This includes defining clear roles and responsibilities, establishing incident response protocols and aligning cybersecurity with broader business objectives.
IT teams can build resilience by establishing robust backup processes, patching promptly, implementing access controls, enforcing strong MFA and staying informed via NCSC threat alerts.
Equally important is building a culture of cybersecurity awareness. Architects are highly collaborative, working across multiple platforms and sharing sensitive project data. If employees aren’t educated on common risks – such as phishing emails disguised as log-in credential requests or malicious files posing as client feedback – they can unintentionally become the weak link. Regular training, clear internal policies and a shift towards prevention rather than response are essential. Communication and leadership buy-in are also vital to embed cybersecurity into the organisational DNA.
Making cybersecurity a business priority
Ultimately, by strengthening governance, fostering a proactive mindset and embedding necessary
cybersecurity tools and processes, architecture firms can elevate cybersecurity from a background IT function to a strategic business priority. In a sector where intellectual property, client trust, reputation and project delivery are vital, the cost of a cyber breach is too high to ignore.
