The cyber security basics project managers need to know

by Alex Bennett / 4/5/2017 2:44:52 PM

Cyber crime now makes up a massive 40% of all recorded criminal incidents and more organisations are breached every day. Considerable attention is given to security best practices in fields like software development, but project managers are in danger of being left behind.

Project managers that fail to learn the basics of cyber security will unknowingly open their organisations to malicious criminals. These are the cyber security basics project managers need to know.

Protect your data at all times

The average cost of a data breach has hit £3.2million and experts now predict 2017 will be the worst year yet for these catastrophic hacks.

Every project will require the management of data and it must always be protected. Because breaches are so costly, project managers must consider the value of the data their working with and what would happen if it were stolen.

For example, when working with highly sensitive data, like contract or payroll records, good security is crucial.

Your data should be protected with encryption, well-established as one of the most effective methods of protection. Encryption transforms ‘plaintext’ data into a coded form known as ciphertext, making it inaccessible to cyber criminals, even if they get access to your systems.

Data should be encrypted across devices, including laptops, portable hard drives and your phone. 25% of all mobile devices encounter a threat every month and removable media is a common route for the introduction of malware into businesses.

In the event of a hack on your encrypted data, there’s a good chance the information will be safe. But encryption is no excuse for lazy cyber security, especially with GDPR on the horizon.

When the EU General Data Protection Regulation becomes law in May 2018, you might be caught out as organisations invest more heavily in data security. If your organisation’s data is exploited (potentially as a result of your project), you can expect fines of up to £17m under GDPR.

The cloud is not (always) secure

Cloud storage brings additional challenges to the security of your data. And it’s not just your IT team that deals with cloud security. File-sharing tools, like Dropbox, are cloud services too and they’re not always secure.

In 2016, a huge cache of personal data containing the usernames and passwords of roughly 70 million Dropbox users was discovered online. The lesson is clear: you can’t rely on third party services to secure your project’s sensitive data.

Strong passwords and 2-step verification

If businesses are relying on you to manage projects safely, you’ll need to align with cyber security best practices, or risk opening their sensitive data and systems to criminals.

Strong passwords -- which use unrelated words, varying text cases and symbols -- are essential at a time when hackers use powerful brute force tools to quickly ‘guess’ thousands of default variations in seconds.

According to analysis of 10m passwords made public in data breaches in 2016, more than half were the same 25 weak passwords – like ‘12345’ and ‘qwerty’.

If you’re hired to lead a project, you’ll likely receive business logins. But if you don’t secure your email address using a strong password, hackers could use brute force techniques to easily access your client’s logins and gain access to the business network.

Managing dozens of strong passwords can be a drag, but by using password managers, like LastPass or Password Agent, you can effectively store your passwords behind a strong encryption wall.

Plus, go a step further and add two-factor authentication to your sensitive accounts. The most common form of two-factor authentication (2FA) requires users to submit a password and a code sent separately to a connected mobile device.

The result: a cyber criminal will need your phone, as well as your password, to gain access to your accounts. If your business email is hacked remotely, this will protect your client’s sensitive data from being exploited by hackers.

BYOM (Bring Your Own Malware)

BYOD (bring your own device) is the use of employee-owned mobile devices, like tablets and smartphones, to access business networks or content.

It’s common to bring your own device to work and you probably make good use of it, especially with external clients. But project managers may not realise the cyber security risks that come with BYOD.

Businesses can manage their devices but they have little control over personal devices. This is a potentially massive cyber security risk as it’s tough to prevent non-employees accessing potentially sensitive data on the device, or securing data on devices that are lost and longer accessible (e.g. employee resignation).

Infected personal devices can also bypass an organisations security, allowing malware into the business. The solution is to register all BYOD devices to a secure network and bar unauthorised devices until they can be scrutinised by the IT team.

Project managers must be aware of these potential vulnerabilities and consult their IT teams to ensure good cyber security. As a general rule, don’t take your work home with you if you can’t guarantee it’s safety.

If you do bring your work home with you, be sure to use a VPN (virtual private network) to transfer your private data safely across external networks.

Secure VPNs are essential for remote-working employees as they encrypt information as it travels, meaning it can’t be hijacked en route by cyber criminals. Chances are, your organisation already uses a VPN. If not, more information can be found here.

Cyber security is your responsibility too

Cyber security is everyone’s responsibility, but you can’t assume everyone you’re working with realises this.

Other members of your organisation may ultimately be responsibility for security, but they may not actually possess a vested interest in the security of your project. In large companies, they may not even realise the existence of your project!

Plus, if you’re working in a new environment, it’s important to know who’s on your team and who’s sharing data across the business. By limiting privileges, you’ll prevent hackers from privilege escalation vulnerabilities that access data in bulk.

Whilst it’s likely that your project will be protected by whatever security measures are already in place, there’s no guarantee of this. As such, project managers should get in contact with the relevant security professional to educate them regarding the security requirements of their projects.

You can’t assume everyone you’re working with understands the need for data protection or the potential consequences of a ransomware infection. Educate and inform your team, the customer and senior management.

If you aren’t heard, nothing will be done and you may unknowingly be risking the safety of your entire organisation. If something goes wrong, you could face the blame for leading an unsecure project.

What next?

Project managers are not expected to be security experts. However, by aligning with best-practices in every phase and process of a project, project managers have the opportunity to deliver their projects securely.

For a more detailed look at the cyber security principles project managers must understand, take a look at the “Security Best Practices for IT project managers” whitepaper from SANS.

Alex is a technical writer for Firebrand Training. Working at the forefront of the IT training industry, Alex uses his insider knowledge to write regularly on IT security, networking and cloud technology.