May 2026 | Qualit Managed IT | Engineering Firms | Cybersecurity
Your engineering team works across a wide stack of technical platforms — AutoCAD Civil 3D for design, Bentley MicroStation for infrastructure projects, RISA and ETABS for structural analysis, MATLAB for simulation, and Newforma or Deltek Vantagepoint for project coordination. Every one of those platforms requires a login. Add government project portals, DOT submission systems, Procore for construction coordination, and SharePoint for documentation, and a senior project engineer may be managing fifteen or more credentials on any given project. When those passwords get reused across systems — and the research shows most of them do — one compromised account can become a master key to everything your firm has produced.
The Scale of the Password Reuse Problem
A 2024 Cybernews study analyzed more than 19 billion passwords exposed in data breaches and found that 94% of them were reused or duplicated across multiple accounts. That is not a reflection of individual carelessness — it is a predictable result of asking technical professionals to manage large numbers of credentials without systematic support. Your project engineers are focused on delivering accurate calculations and meeting project specifications. Password hygiene is not their primary concern, and it should not have to be — but that creates a gap that attackers exploit systematically.
The attack method is called credential stuffing. Attackers purchase breach databases from the dark web — lists of username-and-password pairs from compromised platforms — and run automated scripts that test those same credentials against target systems. If an engineer reused a password from a breached personal account for your firm's Newforma project site or your AutoCAD Civil 3D license portal, that credential may already be in circulation and actively being tested.
What Is at Stake for an Engineering Firm
Engineering firms carry specific categories of high-value data that make credential compromise especially consequential. Engineering calculations, structural analysis files, proprietary specifications, and simulation outputs represent significant billable work and competitive IP. For firms working on government or DOT projects, a breach may trigger security notification requirements or compliance obligations that go beyond the technical incident.
Ransomware groups frequently use credential stuffing as their entry point. They authenticate using legitimate stolen credentials, move laterally through the firm's environment, and then encrypt project files, CAD environments, and simulation data. When a structural analysis environment goes down mid-project, the billable impact is immediate — and the recovery timeline depends entirely on how well-prepared the firm's backup and response processes are.
Three Changes That Dramatically Reduce Your Risk
1. Deploy a Password Manager Across Your Engineering Team
Password managers like 1Password, Bitwarden, and Dashlane generate and store a unique, complex password for every account, so your engineering team never has to reuse a credential or try to remember twenty different passwords. Enterprise plans include admin dashboards that surface weak or reused passwords across the team — giving you visibility to address problems before an attacker does.
For engineering firms with a mix of technical platforms — CAD environments, project management systems, government portals, simulation software — a password manager creates a consistent security baseline without adding friction to the technical workflow.
2. Enable Multi-Factor Authentication on All Critical Systems
Multi-factor authentication (MFA) requires a second verification step beyond a password — typically a time-based code from an app like Google Authenticator or Microsoft Authenticator. MFA stops credential stuffing attacks even when a password has been compromised, because the attacker cannot proceed without access to a trusted device.
MFA is available on most engineering platforms including Autodesk products, SharePoint, Procore, and Deltek Vantagepoint. For government and DOT project systems, MFA may already be required. Enabling it universally across your firm's environment should be treated as a baseline control, not an optional feature.
3. Audit Service Accounts and Shared Credentials
Engineering firms frequently use shared credentials for project portal access, software license management, and legacy CAD system integrations. These accounts often persist long after they are needed. Conduct a systematic audit of shared and service accounts — identify which are still in active use, ensure they are covered by the same password standards as individual accounts, and deactivate anything that is no longer required.
One Breach Can Be a Master Key for Everything
When passwords are reused across systems, a single compromised account creates a universal vulnerability. A breach at a third-party platform your firm uses — a consultant's project site, a software vendor's licensing portal — can cascade into your firm's core CAD environment and project data. Breaking that dependency by making every password unique eliminates the chain reaction.
We work with Salt Lake City engineering firms to protect project data and support technical workflows. If your firm has not audited its credential security recently, now is a good time to start.
Schedule a free discovery call with Qualit to review your firm's credential security.
Frequently Asked Questions
Q: We use a shared login for our AutoCAD Civil 3D license portal. Is that a security problem?
Yes. Shared credentials create two problems: you cannot audit who accessed what or when, and if the credential is compromised, you cannot revoke access for one person without disrupting everyone. Individual named accounts with MFA are the right approach for license portals and project systems. Most engineering software vendors support individual account management at the enterprise level.
Q: Some of our engineers work on government or DOT projects. Do those projects have specific password requirements?
Yes, frequently. Federal and state government contracts often include IT security requirements that specify password complexity, MFA, and audit logging. Review the security provisions in your active government contracts — non-compliance can create contract performance issues, not just security risk. An IT partner familiar with government contracting requirements can help you map current practices against what your contracts require.
Q: What happens if a project engineer's credentials are compromised while they are working on an active DOT project?
The immediate priorities are: contain the compromise by resetting credentials and revoking active sessions, assess what data was accessible from the compromised account, and determine whether the project contract or applicable regulations require incident notification. Your IT partner should be involved from the start. For government projects, incident notification timelines can be short, so having a pre-defined response process before an incident occurs is important.
