Why engineering firms are extra vulnerable
Engineering files behave differently from office data
Most engineering firms are small or medium-sized organisations with no dedicated IT department or security officer. A single Revit model can be several gigabytes — a complete project folder, tens of gigabytes. Files are interdependent: a BIM model references other files and libraries. Restoring one file without the rest is rarely sufficient. Version control is business-critical: if a client asks for the version from three months ago and it no longer exists, you have a problem — not just practically, but potentially legally.
- Engineering firms
- CAD backup
- BIM backup
The misconception that costs many firms dearly
SharePoint is not a backup
"We work in SharePoint, so our data is safely stored in the cloud." We hear this often. And it is not correct. SharePoint, OneDrive and Dropbox are synchronisation services — they ensure files are available on multiple devices but they are not a backup. When ransomware encrypts your files, the encrypted version syncs immediately to all connected devices and to the cloud. Within minutes every copy is compromised. A proper backup creates isolated, versioned copies that are not reachable from your main network.
SharePoint does not protect you against ransomware. A proper backup does.
What a proper backup actually does
The 3-2-1 rule as the baseline standard
The widely accepted standard is the 3-2-1 rule: 3 copies of your data on 2 different storage media with 1 copy fully isolated. For an engineering firm: a daily incremental backup on a local NAS for fast recovery, a weekly full backup physically separated from the primary server, and a cloud backup with immutable storage for ransomware protection. An immutable backup cannot be modified or deleted after writing — not even by someone with administrator rights. If ransomware strikes on Thursday you can restore to Tuesday.
Liability and retention obligations: what many firms underestimate
DNR 2025 and professional liability
Engineering firms operate under DNR 2025, revised in December 2025 by NLingenieurs and BNA. Professional liability runs by default for five to ten years after project completion. If a client holds you liable for a design error five years after delivery, you must be able to demonstrate which version of which document was delivered at which point. Without proper version control and a demonstrably retained project file, your position is weak. Minimum retention periods: active projects daily with 90 days of version history, completed projects at least 10 years, contracts and permits indefinitely.
A backup is for fast recovery. An archive is for long-term retention. Most firms need both — and they are separate systems.
- DNR 2025
- ISO 27001
- 10-year retention
Five steps to get this sorted
Even without IT knowledge
Map your data
Which files are business-critical? Active projects, closed files, software licences, quotes. Make a list — this is the starting point of any backup policy.
Define your RPO and RTO
How much data loss can you accept? How quickly do you need to be back up and running? One hour of downtime can quickly cost an engineering firm hundreds of euros in billable time.
Choose a hybrid approach
Local for speed, cloud for security. For most firms of 5 to 50 people, a combination of an on-site NAS and cloud backup with immutable storage is the most practical and affordable solution.
Test your backup monthly
A backup you have never tested is not a backup — it is an assumption. Every month restore a random project folder to a test location and verify that everything is there.
Document the recovery process
Who does what when things go wrong? Where are the login credentials? This document must be available offline — not on the server that just went down.
Your questions answered
Frequently asked questions from engineering firms
No. These services synchronise files but do not create isolated copies. A ransomware attack or accidental deletion spreads immediately to all synchronised locations. You need a separate backup solution with immutable storage and version history.
As a minimum: completed projects for at least 10 years, in line with professional liability periods under DNR/RVOI. Structural calculations and safety documents preferably longer.
It depends entirely on your backup architecture. A combination of a local NAS and cloud backup makes recovery within two to four hours achievable for most firms.