

If only your server had a check engine light. You’d know something was wrong. You might not know exactly what, or how serious — but you’d know to have someone look at it soon, before you ended up on the side of the road. The problem with your IT systems isn’t that there is no check engine light, there is one, and it’s been on for weeks. It’s just sitting behind a dashboard nobody ever looks at.
Every server, laptop, desktop, workstation, and cloud service your firm uses records what’s happening — logins, file access, permission changes, external connections, everything. These are your event logs, and they’re the closest thing to a check engine light your IT systems have. IBM’s 2025 Cost of a Data Breach Report found that organizations take an average of 241 days to identify and contain a breach [1]. That’s nearly eight months. For most businesses — including architecture, engineering, construction, and manufacturing firms — that’s a full project cycle during which someone potentially has access to your client drawings, project files, financial records, and credentials. The light was on the whole time.
Most small firms have a firewall. Most don’t have anyone reading what the logs are saying behind it. That’s the gap.
What’s Happening in Your Logs Right Now
The logs are comprehensive, and in most small and mid-sized firms, nobody reads them. That’s not unusual — reading logs manually is tedious work, and unless something is obviously wrong, there’s no apparent reason to open them on any given Tuesday. But that’s exactly the problem.
Attackers don’t announce themselves. They log in using stolen credentials, move to other systems, compress files, and set up scheduled tasks. None of that looks strange to a firewall. Yet all of it leaves traces in the logs — if someone or thing is configured to look.
The warning is almost always there. The question is whether anyone catches it before it becomes a headline.
What Specifically Gets Missed
The events that indicate a compromise in progress are mostly mundane-sounding things. Failed login attempts from an unusual location. A user account suddenly accessing folders it never touched before. A machine establishing connections to an external IP address at 2 a.m. An admin account appearing with no real reason. None of these by themselves signals a problem. Together, they often do — but only if someone is looking at them, putting together the relationship, or assigned the role to review if a configured alert on such a pattern appears.
CISA — the Cybersecurity and Infrastructure Security Agency — recommends that even small businesses implement basic logging and monitoring, and they’ve built a free tool called Logging Made Easy specifically for organizations with limited IT resources [2]. The guidance isn’t aimed at enterprise security teams. It’s aimed at exactly the kind of firms that have a reasonable perimeter but no visibility into what’s happening once someone is past it.
Why AEC and Manufacturing Firms Are Particularly Exposed
Architecture, engineering, construction, and manufacturing firms operate in a web of external relationships — subcontractors, consultants, material vendors, clients — all sharing files and access routinely. That’s the nature of the work, and it also creates a large attack surface. Construction topped the list of spear phishing targets in recent threat analysis [3], and ransomware attacks on the construction sector rose 41% between 2023 and 2024 [3].
The files at stake in these firms aren’t just financial records. A BIM model contains detailed structural, mechanical, and electrical layouts. Project portals hold contract terms, client contact information, and subcontractor credentials. These assets have real value to bad actors — and losing them, or having them held hostage, is a materially different problem than a generic data breach at a retail business.
What Monitoring Actually Looks Like

For most firms in this size range, managed log monitoring doesn’t mean hiring a full-time security analyst or building a security operations center. It means having a system that collects event data from your servers, workstations, and cloud services, correlates it against known threat patterns, and alerts someone when something looks wrong. Modern tooling does this at a cost that scales to a 20-to-50 person firm, and is not at Fortune 500 pricing.
The basic framework, per CISA’s guidance, has three parts: set up logging across your key systems; configure alerts for high-risk events like failed logins and privilege changes; and have a clear protocol for who investigates an alert and what they do next [2]. That third piece matters as much as the technology. An alert that fires with no one designated to act on it isn’t much more useful than no alert at all.
Monitoring without a response plan is just watching.
The Cost of Not Watching
The 241-day detection gap carries a direct cost [1]. The longer a breach goes undetected, the wider the access, the more data is exfiltrated or encrypted, and the more expensive and disruptive the recovery. For a firm running on project file access and construction management software, even a few days of locked systems during an active project is a serious problem. Eight months of undetected access is something else.
The good news is that the difference between a firm that catches something in days and one that doesn’t catch it for months is usually comes down to this: one had someone watching and responding, the other didn’t.
If you can’t answer the question “was there anything unusual on our network last night?” — that’s a gap worth closing. Technolene works with AEC and manufacturing firms to assess their current logging posture, identify what’s missing, and put monitoring in place that’s sized for a business like yours.
→ Reach out at technolene.com/contact to schedule a review.
References
[1] IBM. “2025 Cost of a Data Breach Report.” ibm.com/think/x-force/2025-cost-of-a-data-breach-navigating-ai
[2] CISA. “Use Logging on Business Systems.” cisa.gov/audiences/small-and-medium-businesses/secure-your-business/use-logging-on-business-systems
[3] CybelAngel. “Why the Construction Industry is Targeted by Cybercriminals.” cybelangel.com/blog/cyberattacks-in-the-construction-industry/
