May 2026 | Qual IT Managed IT | Architectural Firms | Cybersecurity
Spring is hiring season — and for architectural firms, that often means bringing on new project architects, CAD technicians, BIM coordinators, and administrative staff ahead of summer project ramp-ups. A new employee's first week is full of logins, software installs, introductions, and information overload. In that chaotic environment, security awareness tends to be low and trust tends to be high — a combination that attackers know how to exploit. If your firm does not have a structured plan for new hire security, every onboarding season is a window of elevated risk.
The Research Is Clear: New Employees Are High-Value Targets
According to Keepnet's 2025 phishing research, CEO impersonation attacks are 45% more effective against new employees than against the general workforce. A separate analysis found that new hires are 44% more susceptible to phishing attempts overall. The reason is straightforward: new employees do not yet know what 'normal' looks like at your firm. They do not know whether the managing principal typically sends DocuSign requests on Mondays, or whether the IT team sends software license emails from a specific domain, or whether a request from 'HR' to verify direct deposit information before payroll is processed is legitimate or a scam.
That uncertainty is what attackers bank on. A phishing email that an experienced employee would immediately flag as suspicious looks plausible to someone on their third day, still trying to figure out who to ask about anything.
What This Looks Like in an Architectural Firm
Picture a new project architect who just joined your Salt Lake City firm. It is their second week. They receive an email that appears to come from the principal-in-charge of their first project — asking them to log into Autodesk Docs with the link provided and confirm their access before a team coordination meeting. The link goes to a convincing fake login page. They enter their credentials. The attacker now has access to your firm's BIM 360 environment and every project file it contains.
Variations of this attack use fake IT help desk emails asking for software license confirmation, spoofed Newforma notifications, or messages impersonating the firm's accounting contact asking a new hire to approve a vendor payment. The social engineering is tuned to the context of a first week, when following instructions and responding quickly feel like the right way to make a good impression.
The Chaotic First Day Creates Security Gaps
Most architectural firms do not have a formalized IT onboarding checklist. A new hire gets their laptop, gets added to email, gets a Revit or AutoCAD license installed, and then gets handed off to a project team. Security training — if it happens at all — might be a PDF they are asked to read at some point in the first month. Meanwhile, they are being granted access to project files, client data, and collaboration portals in BIM 360 and Autodesk Docs from day one.
That gap between access and awareness is the attack surface. Every day a new hire has credentials but no understanding of what legitimate requests look like at your firm is a day of elevated phishing risk.
Three Fixes That Reduce New Hire Phishing Risk
1. Configure Access Before the First Day — Not During
Access provisioning should be a pre-arrival process. New hires should arrive with accounts already created, permissions scoped to what they actually need for their first project, and MFA already enrolled. Waiting until the first day to set up access creates a scramble that often ends with overly broad permissions and no time to verify anything. A structured provisioning checklist ensures new project architects and technicians get the right access — not all access.
2. Define What 'Normal' Looks Like at Your Firm
Give every new hire a short, direct briefing on communication norms. Does your firm use DocuSign? If so, what does a legitimate request look like, and from which email address? Does IT ever send software license emails? Does the principal ever email direct requests to junior staff, or do those requests come through a project manager? Setting clear expectations about normal communication patterns makes phishing attempts stand out.
This does not need to be a lengthy security training session. A one-page document covering your firm's communication norms — sent before the first day, reviewed in the first week — can significantly reduce the risk window.
3. Give New Hires a Named Point of Contact for Suspicious Requests
One of the simplest and most effective phishing defenses is making it easy to ask. New employees who receive a suspicious email need to know exactly who to forward it to and what to do in the meantime. If that process is not established, most new hires will either respond to the phishing email or do nothing — neither of which is the right answer. Designate a point of contact (an IT partner, a senior staff member, or both) and make sure every new hire knows how to reach them from day one.
Spring Hiring Season Is the Right Time to Review Your Onboarding Process
If your firm is bringing on staff ahead of summer project launches, now is the moment to review your onboarding security process. The changes required are not dramatic — structured provisioning, a communication norms briefing, and a clear escalation path — but they close a meaningful risk window that attackers actively exploit.
We work with Salt Lake City architectural firms to protect design files and keep project workflows running. That includes making sure every new team member is set up securely from day one.
Schedule a free discovery call with Qual IT to review your firm's onboarding security process.
Frequently Asked Questions
Q: Our new hires need access to BIM 360 and Autodesk Docs right away. How do we scope access without slowing down their first day?
The key is pre-arrival provisioning. Work with your IT partner to create a standard new hire access template for each role — project architect, CAD technician, intern, admin — that grants the right level of access to the right project environments. Access can be expanded as their role evolves, but starting with appropriately scoped permissions is far safer than granting blanket access on day one.
Q: What if a new hire falls for a phishing attack? What is our exposure?
The exposure depends on what access the compromised account had. If credentials are stolen, an attacker may access BIM 360 project files, client data, and internal communications. MFA significantly limits the damage because stolen credentials alone cannot be used to log in. If you suspect a phishing compromise, change the affected credentials immediately, audit recent login activity, and notify your IT partner to assess whether any data was accessed.
Q: Can we make phishing training part of our standard onboarding without it feeling like a burden?
Yes — and it should be. The most effective approach is brief, specific, and practical: a short briefing on what legitimate communications look like at your firm, what to do if something seems off, and who to contact. Pair that with a simulated phishing test in the first 60 days to reinforce the lesson in a low-stakes way. Most employees respond well to training that feels relevant to their actual work environment rather than generic security awareness slides.
