Cyber Security –The New Frontier for Project Managers!
This article is adapted by Himadri Chowdhury from PM Footprint Session presentation delivered by Prof. Prasad Honnavalli, titled “Cyber Security – the new frontier for Project Managers!”.
Internet and Cybercrime
The global internet population is 2.4 billion and growing. Businesses using external hosted web services are growing manifold and Bring You Own Device (BYOD) adoption is increasing in every industry. The global data growth has also been phenomenal – from a measly 0.01 GB in 1992 to 50,000 GB in 2018. By 2020, we expect to have more than 50 Billion connected “things”.
This huge boom in internet population, data speed, and connected devices has brought its share of challenges. The most important among them is the boom in cybercrimes. Multiple studies estimate cybercrime costs to cross $2.1 Trillion by the year 2019 and $6 Trillion by 2021. A staggering 60% of small businesses go out of business six months after a cyber attack.
The most common cyber attacks occur due to credential reuse, MITM or eavesdropping, malware, ransomware, phishing and denial of service. More and more attacks are using an economic model akin to cybercrime-as-a-service, infecting company networks with ransomware that covertly encrypts the files. This prevents access to the files and the companies are forced to release payment for recovery. Hacking or shutting down a business by Distributed Denial-of-Service (DDoS) attack are also increasing. A Verisign/Merrill research shows that one-third of all downtime incidents today can be attributed to DDoS attacks.
To counter the rapid growth in cybercrime, companies have been focusing on increasing Information Security. According to NIST, Information Security is “the protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources” (includes hardware, software, firmware, information/data, and telecommunications).
In other words, Information Security refers to the processes and methodologies that are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.
The CIA Triad or Core Security Principles is a model designed to guide policies for information security within an organization.
- Data confidentiality: Assures that private or confidential information is not made available or disclosed to unauthorized individuals. Confidential information can include personally identifiable information such as Social Security, credit card information or account numbers, or, business information, such as financial data, employee records, and trade secrets.
- Privacy: Assures that individuals control or influence what information related to them may be collected and stored by whom, and to whom that information may be disclosed. The goal is to preserve authorized restrictions on information access and disclosure - protecting personal privacy and proprietary information. Assurance of data privacy and protection against unauthorized disclosure.
- Data Integrity: Guarding against improper information modification or destruction - ensuring non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information.
- System integrity: Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. To protect against violations of integrity, the network should be monitored for unusual or suspicious activity. Strong audit policies should be in place. And software intrusion detection systems can be used to monitor unauthorized changes.
- Availability: Assures that systems work promptly and service is not denied to authorized users. Ensures timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. A denial of service attack is an attack against availability which sends multiple requests to a system in an effort to interrupt or suspend services to legitimate users.
The impacts of cybercrimes can be categorized into three levels:
- High: life threatening, severe damage, loss of business continuity
- Medium: widespread disruptions, degraded performance, no harm to life, financial impact
- Low: local damage, no harm to life, some financial impact, work around available
Role of Project Managers
The biggest cyber-threat is simply complacency. Sometimes we unintentionally forget to implement best practices like:
- Creating a security policy
- Educating employees
- Putting software protection in place
- Encouraging sensible cyber-security practice
- Reviewing security policies every so often
Assets are what we protect as owners. As a project manager, you should be aware of the threats and challenges to your project assets. A deliberate / targeted attack or an opportunistic attack can impact multiple devices and stop production till it's rectified. The graphic below shows the concept of a system resource, or asset, that users and owners wish to protect.
At an organizational level, following are a few recommendations for maintaining a safe internet environment:
- Mandate C-Level execs (CEO, CFO, etc.) experience a Red Team assessment (adversarial testing of security policies)
- Implement an approach and culture of Least Privilege, enforcing the minimal level of user rights, or lowest clearance level, that allows the user to perform his/her role
- Employee training, measurement and continuous improvement
- Use Multi-Factor Authentication, Identity Access Management and Protect Privileged Accounts
- Prepare and implement a Cyber Incident Plan
- Test restoration effectiveness and efficiency of backup and recovery plan
- Correlate, monitor and audit security logs
This new paradigm is the ability to operate the business processes in normal and adverse scenarios without adverse outcomes, while reducing customer harm, reputational damage and economic loss. It is balancing risks and opportunities and relies on people, processes, and technology. Resilience, as defined by Presidential Policy Directive PPD-21, is the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. While Information Security is the rule of today, Cyber resilience is the priority of the future.