There is an interesting contradiction at the heart of how most architecture and design professionals approach their work. The discipline demands extraordinary attention to specification. Material tolerances measured in millimetres. Structural calculations verified multiple times. Drawings checked, cross-checked, and coordinated across disciplines before a single element goes near a site. The culture of precision is built into the practice from the first year of architectural education.
And then there is the digital workspace. The collection of cloud platforms, project management tools, BIM software subscriptions, client communication portals, and file-sharing services through which the actual work of contemporary architecture practice flows every day — and which, in most studios, is protected by whatever passwords individual team members happened to choose when they signed up.
The gap between those two realities is worth examining. Not because architects are uniquely negligent, but because the nature of what architecture practices handle digitally has changed significantly, and the security habits have not kept pace with the value of what is now being protected.
What Architecture Practices Actually Handle Digitally
The working assumption in many practices, particularly smaller studios, is that their digital data is not interesting to anyone outside the profession. This assumption underestimates what a contemporary architecture practice’s digital environment actually contains.
Client data covers not just contact details but financial information, planning consent histories, and in some cases the detailed security specifications of private residences, commercial properties, or sensitive institutional buildings. Project files include proprietary design work representing months or years of billable time. Contractor communications may contain tendering information, cost breakdowns, and procurement details that are commercially sensitive. And for practices working with healthcare, education, justice, or government clients, the project data may carry formal confidentiality obligations.
The design industry has been increasingly targeted precisely because it holds this kind of layered, high-value information. The UK National Cyber Security Centre’s guidance for small and medium-sized organisations specifically notes that creative and professional services firms are among the most targeted categories for credential theft and phishing attacks — not because they are individually high-profile targets, but because they hold client data, proprietary intellectual property, and financial records while often maintaining less robust security infrastructure than larger corporate environments.
The Credential Problem in a Multi-Platform Practice
A contemporary architecture studio operates across a striking number of digital platforms. BIM collaboration tools like BIM 360 or Trimble Connect. Project management platforms like Asana, Notion, or Monday.com. Cloud storage across Dropbox, Google Drive, or Microsoft SharePoint. Rendering platforms. Specification databases. Accounting software. The practice’s own website and CMS. Client-facing portals. And behind all of those, the email accounts that function as the connective tissue of the entire operation.
Each platform has its own login. Each login has a password. In most small and medium-sized practices, a significant proportion of those passwords are variations of the same base credential, chosen when the account was set up and never meaningfully reviewed.
The reason this matters is not the strength of any individual password. It is the reuse. When one platform in the stack is breached, and data breaches affecting major software platforms are a routine occurrence rather than exceptional events, the credentials from that breach get tested against every other platform the same email address is registered with. If the passwords match, the attacker gains access. The initial breach does not need to involve the architecture practice’s own systems at all. It needs to involve any platform where the same password was used.
What Good Digital Credential Practice Actually Looks Like
The principle is the same one that architects already apply to material specifications: use the right thing for each application, do not substitute a cheaper equivalent and assume it will perform the same way. A unique, randomly generated password for each platform, stored securely, and managed systematically, is the correct specification. Using the same password across platforms is the equivalent of specifying the same generic sealant for every joint regardless of thermal movement, substrate, or exposure — technically it might work for a while, but the failure mode when it does not is predictable.
A password manager generates a unique, cryptographically random password for every account and stores them all in an encrypted vault that synchronises across devices. The only credential that requires active memory is the master password for the vault itself. For a practice where multiple team members need access to shared platform accounts, most password managers also support secure credential sharing within teams — so a junior designer can access the BIM platform credentials without those credentials being transmitted via Slack or written in a shared notes document, both of which are depressingly common workarounds in studios that have not addressed this systematically.
The setup investment is a few hours, spread over a week of normal practice. The ongoing overhead is close to zero. The credential fills in automatically when a platform’s login page loads. The manager flags if a stored password appears in a known data breach and prompts an update. In terms of the effort-to-protection ratio, it is one of the highest-value digital hygiene steps a practice can take.
The Broader Question of Digital Resilience in Architecture Practice
The credential security question sits within a wider conversation about digital resilience that the architecture profession has been slow to have in any systematic way. The move toward cloud-based collaboration has happened quickly and brought genuine benefits: real-time coordination across geographically distributed teams, version-controlled project files, and client-facing transparency on project progress. It has also moved the operational risk profile of practices in ways that the professional development conversation has not fully caught up with.
Architecture schools invest significant curriculum time in technical drawing standards, building physics, structural systems, and construction law. Digital security receives, in most programmes, approximately nothing. The result is a generation of practitioners who are highly capable in their discipline and largely unequipped to make informed decisions about the security of the digital systems through which that discipline increasingly operates.
The Royal Institute of British Architects has begun acknowledging this gap. The RIBA’s practice guidance on data and information management covers information security as part of the broader framework for professional practice, including guidance on access controls, data classification, and the responsibilities practices have for the client data they hold. It is a starting point, though the translation from guidance document to studio practice remains inconsistent across the profession.
Why This Matters for How Architecture Is Practiced
The relationship between a practice and its clients is built on a specific kind of trust. Clients share with their architects not just a brief and a budget, but the details of how they live and work, what they value, and what they want to protect. That relationship carries an implicit obligation of care that extends to the digital environment in which project information is held and transmitted.
A practice that handles its physical deliverables with rigour and its digital credentials with negligence is not fully honouring that obligation. The correction is not technically difficult. It requires the same thing that good architecture always requires: taking the time to understand what the problem actually is, specifying the right solution, and implementing it carefully.
The conversations happening in the profession about AI in design, computational methods, and parametric tools are worth having. So is this one. For more on the intersection of technology and professional practice in architecture, RTF’s technology section covers the tools and systems that are reshaping how the discipline operates — including the ones that deserve more attention than they currently receive.

