3 Steps for a Modern IT Audit to Secure Your AEC Business

Article by Avatara’s VP of Sales, Kraig Kubicek, originally published in SMB CEO.

Data is fundamentally invaluable to engineering firms, but its history and usefulness have been fluid up to this point. The story starts in the 1980s when the architectural engineering and construction, or AEC, industry began to fully embrace digital transformation. What started as transitioning from pen and paper to computer is now a full-scale digital mindset aimed at enhancing workflows and increasing revenue significantly.

Around 2000, the evolution entered its next phase with the emergence of building information modeling, or BIM. Here, project data could be integrated within a single platform and across a project’s lifecycle, leading to a new standard in accuracy and reliability.

More recently, we’ve seen the third wave. A cloud-based approach to computer-aided design, or CAD, enabled a global network of designers to collaborate and continue working while lockdowns were in place.

What’s next? As the digital ecosystem continues transforming, a few trends are likely to emerge in the next few years. For one, expect to see data even more centralized and easily transmitted to those who require it. Data will also be mined more thoroughly to generate new insights that improve outcomes, such as in construction regulatory compliance.

When firms leverage the latest technology, they create more opportunity for their employees to create, collaborate, and succeed. When you consider how BIM can combine with enriched data to generate high-resolution models of real-world assets, the sky is the limit for growth and innovation.

But what does this all mean for your data? Each new wave of digital transformation brings with it a massive increase in data volume for engineering firms to manage. As that volume increases, the need for a complete data management approach becomes more urgent.

The Challenges of On- and Off-Site Data Management

So much data, so little space — and there is no sign that this will change any time soon. Within the AEC industry, it has been reported that if a company services 100 projects, it is generating one petabyte of data each year. That’s astounding, considering that the first petabyte hard disk drive was first reported in 2020.

The problem is compounded when data is duplicated for backup. Storage policies often require five copies of each piece of data, straining an already burdened domain in terms of sheer quantity and organizational logistics.

Then there’s version control. For multi-location firms with on-site servers, keeping all servers synced is a major undertaking. Not only does that requirement quickly chew through a great deal of bandwidth, but it also leaves organizations vulnerable to lost work when duplicates are worked on simultaneously.

According to a Ponemon Institute survey, 60% of organizations lose data due to employee behavior. Most of those losses stemmed from employee negligence, though 27% stemmed from malicious insiders. This destruction of important data — often confidential customer information, intellectual property, or sensitive email content — is an irretrievable loss of time, effort, money, and reputation. An audit process that keeps you on top of these potential fallouts is a worthwhile investment.

A Simple and Effective Vision for a Modern IT Infrastructure

Chances are your organization is in serious need of an IT audit, but it’s often hard to know where to start with one. Here are some strategies your team can adopt to perform a successful and rewarding IT audit.

1. Evaluate your security strategy in light of the NIST 800-171 framework

There’s no need to reinvent the wheel when performing an effective and modern IT audit. Instead, use the NIST 800-171 framework, named from the National Institute of Standards and Technology Special Publication series of documents.

These offer a wealth of high-quality information for IT departments in terms of cybersecurity. The documents provide example solutions as well as all the necessary components and configuration information so a company can reproduce the solution in its own business context.

The documents discuss current standards, how to apply them, and current best practices. The framework helps you ensure your team hasn’t drifted into some idiosyncratic approach to security, which is paramount in today’s business world. Instead, you’ll implement the standard for such concerns, bringing peace of mind and trusted security.

2. Conduct an employee survey

Even though IT is ultimately about digital assets, it’s crucial to talk to human beings when doing an audit. Your staff has an intimate understanding of all the critical issues that can be ameliorated after a thorough audit. Those may include issues such as the ease (or difficulty) of data access and sharing, productivity concerns due to slow machines, or other unforeseen concerns.

A good employee survey can also reveal weaknesses in employee “data literacy” that could be patched up with targeted training. This turns out to be a significant problem in business, with a recent Accenture survey revealing that only 21% of 9,000 employees surveyed were confident in their data literacy.

Not only will a well-conducted survey reveal such knowledge gaps in your staff, but it can also motivate your team to become more data literate by illustrating the adverse effects of not prioritizing it.

3. Audit file servers

File server auditing is not just something nice to have — it’s an essential part of maintaining a secure IT environment. By performing a thorough audit, you can better track who is changing files and folders and how. By combining audits with logical access controls that restrict the use of system resources, you can create a nearly airtight barrier to many kinds of security breaches. But if you don’t take these steps, you leave yourself vulnerable.

You might think that restricting access in the first place would be sufficient — why would you then also need file server audits? The reason is that sometimes people who have been granted access use it inappropriately (i.e., amassing and selling personal employee data or using company resources on outside projects).

Inappropriate IT behavior leaves telltale clues, such as unusually large print jobs (of personal data) or unexpected remote access suggesting downloading proprietary files. In essence, a well-done file server audit tells you everything about who did what to which file, how many times it happened, and when it occurred. Companies that forego this critical procedure are leaving the door wide open to significant harm.

IT Consulting services can be hired to perform proper IT audits. They assist in addressing and identifying issues connected to IT-related risks to optimize company operations. They provide an independent assessment of the efficiency of IT-related internal controls and the extent to which IT objectives have been met. Their IT consultants provide objective expert advice in developing an IT business strategy and prioritize IT projects to guarantee that business goals are met while the risks of IT systems and applications are limited.

A proper, modern IT audit can make a huge difference in your outcomes. By greatly reducing cybersecurity risks, you protect the integrity of your business. But audits are also excellent ways to root out waste, inefficiency, and other drags on profitability. As they say in business, “What gets measured gets improved.” IT is no different. Given its fundamental role in modern business, it may be the most important thing to “measure” on a regular basis.

Learn How We Make I.T. Easier for AEC