Download PDF (179 KB) PDF version, ready to print or share with your team.
Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
A 30-person engineering firm in the GTA called us three weeks before a major tender closed. A consultant’s invoice had been paid to a new bank account. The account was not the consultant’s. The email asking for the change looked perfect, because it came from an existing message thread inside a mailbox the attacker already controlled.
That firm did not think of itself as a target. It draws buildings. It holds no credit-card numbers and no health records. It does move large payments, share files with dozens of outside parties, and work to deadlines that push people to skip a verification step.
Fusion Computing secures architecture and engineering firms across Canada, so this guide is built from what we actually see. It covers the attacks that hit A&E firms, the file and CAD decisions that quietly set your risk, the Canadian rules you answer to, and a 90-day plan to close the gaps.
Key Takeaways
- Architecture and engineering firms are squarely in the target set. About 1 in 6 Canadian businesses were hit by a cyber incident in 2023 (Statistics Canada).
- The biggest cash loss is invoice and payment-change fraud, ahead of ransomware.
- For A&E firms most of the risk lives in how project files (CAD, Revit, BIM) are stored, synced, and shared. Antivirus is the smaller part.
- Cyber insurance and client security questionnaires now demand MFA, EDR, and tested backups before they pay out or let you bid.
Why would anyone target a firm that just does drawings?
According to Statistics Canada (2024), about 1 in 6 Canadian businesses were hit by a cyber incident in 2023, and national recovery spending doubled to CA$1.2 billion. The Canadian Centre for Cyber Security puts the average ransom paid in Canada at CA$1.13 million, up nearly 150% in two years. Architecture and engineering firms sit squarely inside that group.
Attackers do not pre-screen revenue. They scan the internet for exposed remote access, weak passwords, and leaked credentials. A 12-person studio looks the same as a 500-seat practice to an automated scanner.
Two things make A&E firms attractive once an attacker is in. Deadlines create pressure to pay fast and get back to work. Design files carry resale value, so they can be sold or held for extortion. Modern ransomware copies the data first, then encrypts it.
The names in the news are not small either. Zaha Hadid Architects and CannonDesign have both disclosed serious attacks. The lesson holds at any size: a firm that moves money and ships valuable files is worth an attacker’s time.
Your real exposure is the project files, not just the laptops
According to IBM (2024), 40% of breaches involved data spread across multiple environments, including on-premise servers, private cloud, and public cloud. Those scattered breaches cost more than US$5 million and took 283 days to contain. For an A&E firm, that scatter is your daily reality: drawings live on a server, in OneDrive, in a client portal, and in email.
The honest question for most firms is not about antivirus. It is where the big CAD and Revit files should live so they are both safe and fast.
An on-premise file server is fast within the office. It performs poorly for remote and site staff unless you add the right access layer. OneDrive and SharePoint sync can corrupt a live Revit central model and quietly drop files. Running Revit across a basic VPN tends to damage the model over time.
There is a clean way to think about the options. Speed, safety for live CAD work, and whether the tool counts as a true backup are three separate questions.
| Where the files live | Fast for remote and site staff? | Safe for live Revit and CAD? | Is it a backup? |
|---|---|---|---|
| On-premise file server | Slow without added access | Yes, if maintained | No |
| OneDrive or SharePoint sync | Mixed | Risky for central models | No |
| Autodesk Construction Cloud or BIM Collaborate | Yes | Yes, built for it | No |
| Hosted desktop in a Canadian data centre | Yes | Yes | No |
| Versioned off-site backup | Not applicable | Not applicable | Yes |
Fusion Computing builds these layers together so the fast option and the safe option are the same option. Getting this right is the heart of good IT support for architecture and engineering firms, and it removes most of the risk before a single threat shows up.
What two attacks actually hit architecture and engineering firms?
According to the Verizon 2025 DBIR, ransomware appeared in 88% of breaches at small and medium businesses. That is the headline threat. The quieter, more expensive one for A&E firms is business email compromise: a faked invoice or a changed bank account on a progress payment.
Invoice and payment-change fraud
This is where firms lose the most money. An attacker watches a real email thread, then asks to update payment details right when a draw or a consultant invoice is due. The request reads as routine.
The control is simple and it works. Any change to a bank account gets a phone call back to a number you already had on file, plus a second person’s approval before payment. Fusion Computing sets this dual-approval rule up with finance teams in the first week.
Ransomware at deadline
Ransomware lands hardest when a submission is due. The live project files lock, the team stalls, and the clock keeps running. Double extortion adds a second threat to leak the stolen drawings. Put a number on that lost time with our downtime cost calculator.
How do you secure CAD, Revit and BIM collaboration with consultants and clients?
According to ReliaQuest (2024), credential exposure accounted for 75% of digital-risk alerts in the construction sector, driven by heavy reliance on third parties and shared documents. A&E firms share project data with the same wide circle of consultants, contractors, and clients, so every shared link is part of your attack surface.
Most firms still share drawings by emailing files or pasting a permanent link. Both are hard to take back. A subcontractor who rolled off last year may still hold a working OneDrive link to the current drawing set.
The fix is structured sharing. Give role-based access, set links to expire, keep an audit log of who opened what, and remove outside collaborators the day they roll off. Named platforms help here: Autodesk Construction Cloud and BIM Collaborate, Newforma, Bluebeam, and Procore all support proper permissions when they are configured well.
Construction firms face the same shared-file exposure, and we cover their version in our guide to cybersecurity for construction firms. The principle carries across: control access at the project level, not by trusting an inbox.
How should a firm back up CAD and BIM files so recovery actually works?
According to Sophos (2024), criminals tried to compromise the victim’s backups in 94% of ransomware attacks, and 57% of those attempts succeeded. When backups are hit, the median recovery cost runs eight times higher, US$3 million versus US$375,000. Backups decide whether a bad week becomes a closed firm.
Three rules, the backbone of the 3-2-1 method, separate a real backup from a false sense of safety. Keep versions, so you can roll back to last week and not just last night. Keep one copy off-site and out of reach of the network. And test a restore on a schedule, because an untested backup is a guess.
Why Canadian firms bring this work to Fusion Computing
CISSP-led, a Microsoft Solutions Partner and a CompTIA Managed Services Trustmark holder, securing IT for Canadian SMBs across Toronto, Hamilton, and Metro Vancouver since 2012.
| Backup approach | Recovers a dead drive? | Recovers from ransomware? | Recovers last week’s file? |
|---|---|---|---|
| Folder sync to OneDrive | Yes | No, encryption syncs | Sometimes |
| One external hard drive | Yes | No, often on the network | No |
| Versioned cloud backup | Yes | Yes, if tested | Yes |
| Immutable plus offline copy | Yes | Yes | Yes |
Fusion Computing pairs versioned, immutable backups with managed detection and response on the design workstations, so an attack is caught early and the recovery path is already proven.
SECURING CANADIAN FIRMS SINCE 2012
CISSP-Certified • Microsoft Solutions Partner • CompTIA Managed Services Trustmark • 50 Best Managed IT Companies (2024)
Why your professional seal is now a cyber asset
Under Ontario’s engineering regulation (O. Reg. 941, s.53), a professional engineer must sign, date, and apply their seal to any engineering document they prepared or take responsibility for, whether it is paper or electronic. That electronic seal is now a digital credential, and a credential can be stolen, copied, or forged.
Most cybersecurity guides skip the seal entirely. The Professional Engineers Ontario seal deserves the same protection as any password. A forged seal on a drawing set is fraud with safety and liability consequences, and it has been prosecuted.
Business email compromise makes it worse. An attacker who reaches a mailbox can swap a sealed PDF in transit, sending a different stamped drawing than the one your engineer signed. Protecting the seal means protecting the account that holds it, the device it lives on, and the workflow that applies it.
Practical steps are within reach for any firm. Keep the seal credential behind MFA and a hardware security key. Apply seals from a hardened, monitored workstation. And confirm transmittals through a channel the recipient can trust, so a swapped file gets caught.
What do Canadian rules and your insurer expect?
Under PIPEDA (Justice Laws), a firm must report any breach that creates a real risk of significant harm, keep a record of every breach for two years, and faces fines up to CA$100,000 for knowingly failing to do so. The law also holds you accountable for client data even when it sits with your cloud provider or your IT company.
Your professional obligations layer on top. Ontario’s engineering code requires practitioners to treat client business and technical information as confidential. The Ontario Association of Architects gives no single retention period; depending on the document, records may need to be kept seven years, fifteen years, or longer. Firms in Quebec also answer to Law 25, and firms in Alberta to PIPA.
Insurance has become the sharper forcing function. The City of Hamilton (Global News, 2025) had a cyber-insurance claim denied because multi-factor authentication was not fully in place, leaving a CA$18.3 million bill. Insurers now require MFA, EDR, and tested backups before they pay.
Client security questionnaires do the same on the sales side. Bids for government and large-enterprise work increasingly ask for ISO 27001 or NIST 800-171 controls. Meeting those Canadian IT compliance expectations is now part of winning the project.
What mistakes do we see in the field at architecture and engineering firms?
Across the architecture and engineering firms Fusion Computing manages, the average new client arrives with two or three of these controls missing. The patterns repeat from firm to firm, which is good news, because the fixes repeat too.
The first is a generic IT provider that does not understand Revit central files, xrefs, or data shortcuts, and breaks the model trying to help. The second is offboarding that never happens, so a departed designer keeps access for weeks. The third is shared logins, permanent share links, and backups nobody has ever test-restored.
What does a 90-day hardening plan look like for an A&E firm?
A small firm does not need an enterprise stack. It needs a focused one, built in the right order. Fusion Computing runs this 90-day plan with architecture and engineering clients, and it maps directly to what insurers and clients now ask for.
Days 1 to 30 cover the basics that stop most attacks: multi-factor sign-in everywhere, EDR on every design workstation, and a real offboarding process that cuts access on the last day.
Days 31 to 60 protect the work: tested versioned backups, a file architecture that is fast and safe for remote and site staff, and dual approval on every payment-detail change.
Days 61 to 90 prepare you to qualify and to recover: insurance and questionnaire readiness, protection for the seal and signing workflow, and a short written incident-response plan the whole team knows.
Where should you start?
You do not have to do all of this at once. Pick one control from the first 30 days and finish it this week. Fusion Computing maps the rest to the tools and deadlines your firm already works with, so security fits your projects instead of fighting them.
Fusion Computing helps Canadian businesses across Toronto and the GTA, Hamilton, and Metro Vancouver with managed IT, cybersecurity, and Microsoft 365.
Frequently Asked Questions
Why would hackers target a small architecture or engineering firm?
Attackers scan for weak access and leaked passwords, so they reach a 12-person studio the same way they reach a large practice. Architecture and engineering firms move large project payments and hold valuable design files, which makes them worth the effort once inside. About 1 in 6 Canadian businesses were hit by a cyber incident in 2023 (Statistics Canada).
Is it safe to store Revit, AutoCAD and Civil 3D files in OneDrive or SharePoint?
Use OneDrive and SharePoint for documents, not for live Revit or CAD central models. Their sync can corrupt a worksharing model and quietly drop files. For active project work, use a common data environment such as Autodesk Construction Cloud or a hosted desktop, and keep a separate versioned backup. Cloud storage is not a backup.
What is the best way for a small firm to store project files so they are secure and fast?
Match the storage to the work. Keep live CAD and Revit models in a tool built for them, such as Autodesk Construction Cloud or a hosted desktop in a Canadian data centre, so remote and site staff stay fast. Layer multi-factor sign-in, role-based access, and a versioned off-site backup on top. That mix is both fast and safe.
How should an architecture or engineering firm back up CAD and BIM files?
Keep versions so you can roll back to last week, keep one copy off-site and off the network, and test a restore on a schedule. Sync alone fails, because ransomware encrypts the synced copy too. When backups are compromised, the median recovery cost runs eight times higher, US$3 million versus US$375,000 (Sophos, 2024).
How do we share large drawing sets with consultants and clients securely?
Share through a project platform with role-based access, expiring links, and an audit log, instead of emailing files or sending a permanent link. Remove outside collaborators the day they roll off the project. Credential exposure drove 75% of digital-risk alerts in construction, a sector that shares files the same way design firms do (ReliaQuest, 2024).
How do we prevent fake-invoice and payment-change fraud?
Require a callback to a number you already had on file, plus a second approver, before any bank-account change is paid. Business email compromise is the costliest attack on architecture and engineering firms, because a request to change payment details reads as routine near a deadline. The control is a written rule your finance team follows every time.
If client data is breached, what are our reporting duties under PIPEDA?
Under PIPEDA you must report any breach that creates a real risk of significant harm to the Privacy Commissioner, notify affected people, and keep a record of every breach for two years. Knowingly failing to report or record can bring fines up to CA$100,000. You stay accountable for client data even when it sits with your cloud provider.
Does our firm need cyber insurance, and what controls do insurers require?
Most insurers now require multi-factor authentication, endpoint detection and response, and tested backups before they issue or renew a policy, and they deny claims when those controls are missing. The City of Hamilton lost a CA$18.3 million claim because MFA was not fully in place (Global News, 2025). Put the controls in first, then buy the cover.
A client sent us a security questionnaire asking about ISO 27001 or NIST 800-171. What do we need?
Map your controls to the framework the client names, then show evidence. Most questionnaires want multi-factor sign-in, EDR, tested backups, access reviews, an incident-response plan, and staff training. You rarely need full certification to bid, but you do need to answer honestly and prove the controls are real. Treat it as a sales requirement, not paperwork.
How do we stop a departing employee from taking project files?
Cut all access on the last working day, including cloud apps and remote tools, and watch for unusual bulk downloads in the weeks before a resignation. Most file theft happens in that window. Disable shared logins so access ties to a named person you can revoke. A clear offboarding checklist closes the gap that firms most often miss.
