Uncovering Risks at Fortis Construction

How a Security Risk & Vulnerability Assessment uncovered potential cybersecurity issues to help avoid a data breach.

The problem

Fortis Construction, a multi-million dollar general contractor headquartered in Oregon, sought a method to measure its cybersecurity standing in response to attacks in the Engineering & Construction industry.

The Engineering & Construction industry is an up-and-coming target for cybercrime, according to Datto. More than 30% of Managed Service Providers found the Engineering & Construction space as the leading target for ransomware in 2019, with bid data, designs, materials pricing, profit/loss data, employee information, banking records, and other confidential information as the target for cybercriminals.

In response to a technology readiness assessment by Archetype SC’s partner, FMI, Fortis Construction sought a thorough examination of its cybersecurity posture.


More than 5,400 vulnerabilities were uncovered at Fortis Construction during Archetype SC’s initial SRVA.

The solution

Using a combination of industry-leading network scanning software for internal and external testing, an on-site visit to interview key personnel, and a walkthrough of Fortis Construction’s office space, Archetype SC found areas of concern within the cybersecurity posture of the company.

The internal scan, performed by accessing the network of the company in its office with credentials, allows Archetype SC to see the internal network as a common device. This access shows where vulnerabilities lie in an everyday sense, from all devices used by employees in the office. The walkthrough and interview portion of the assessment show how individuals interact with the security protocols, if the office space is in compliance with security best practices, and if obvious security issues arise within the workspace of employees like shared passwords or screens with confidential information visible to mass personnel.

Following the on-site time and completion of an external scan from the Archetype SC office, a comprehensive report and remediation plan were presented with an explanation of Critical and High vulnerabilities, analysis of observations from interviews, and time-on-site, and a breakdown of known exploits of vulnerabilities.

6 months

Most companies take half a year to detect a cybersecurity incident, before beginning to respond.

Source: ZDNet 2019

The results

After completion and delivery of the SRVA report, Archetype SC engaged with Fortis Construction on a number of technology-focused projects, including consultation on technology selection and a path forward with remediation of vulnerabilities highlighted by the SRVA.

An ongoing relationship exists between the companies, with upcoming work, including a second SRVA to gauge the effectiveness of remediation by the Fortis team, to be completed in 2020.

We’ve retained Archetype SC for three different projects across many aspects of technology needs, from cybersecurity to data management. Their team is intentional and deliberate on every task they take on. The expertise of their team members is broad and each person we have interacted with has ensured our needs are met, every step of the way. Every project we have undertaken has been thorough, organized, and driven by capable team members. Hands down, Archetype SC is my first call with any technology-related need.

Mitch Cornelius,
Fortis Construction
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram