Security guards

Globally, the number of cyberattacks increased 25 percent last year, according to PwC. Four of the 10 largest data breaches in the history of the Internet, exposing 823 million records, occurred just last year, according to the Open Security Foundation and Risk Based Security. That’s about one-third of the total number of records ever compromised—in only 12 months.

“It’s no longer a matter of if your cybersecurity defenses will be compromised at some level—it’s when,” says Bradley J. Schaufenbuel, PMP, director of information security at Midland States Bank, Effingham, Illinois, USA.

The onslaught of attacks carries a hefty price tag. The annual cost of cyberattacks globally ranges from US$80 billion to US$400 billion, according to the Center for Strategic and International Studies. In 2012, breaches cost the affected companies in the United States an average of US$5.4 million each; Germany, US$4.8 million; Australia, US$4.1 million; and England, US$3.1 million, according to a Ponemon Institute report.

Business leaders are on the counterattack. An increasing number of projects focus on building robust data defenses: From 2012 to 2013, spending on IT security increased 51 percent, according to the PwC survey. There’s another clear indicator that cybersecurity has business leaders’ attention: the increased budget share devoted to data-security initiatives. The percentage of the average IT budget earmarked for security jumped 8.5 percent last year— from 4.7 percent to 5.1 percent, according to Gartner. Worldwide, data-security spending will jump 8.6 percent this year to US$72.6 billion, Gartner forecasts.

Matching Wits

As project practitioners spearhead initiatives to fend off cyberattacks, their methods must be just as sophisticated as those of the hackers.

“A project manager responsible for rolling out a software system has to think about more than just how to use the system or what it can do,” says Kelly Bissell, global cybersecurity leader, Deloitte, a PMI Global Executive Council member. “You have to think about cybersecurity. It’s both ‘How do we use this system correctly?’ and also ‘How could a user use the system in a bad way?’”

PHOTO BY SAVERIO TRUGLIA

“It’s no longer a matter of if your cybersecurity defenses will be compromised at some level—it’s when.”

—Bradley J. Schaufenbuel, PMP, Midland States Bank, Effingham, Illinois, USA

Like all project managers involved in cybersecurity projects, Mr. Schaufenbuel takes a global view of the problem: “We’re no longer dealing with lone wolves, but with highly sophisticated criminal syndicates and even rogue governments with access to vast amounts of resources, intelligence and talent,” he says.

At his bank, Mr. Schaufenbuel led a three-month project aimed at thwarting account-takeover attacks. The malicious software behind these attacks wasn’t embedded within the bank’s network, but rather in customers’ home computers. The attackers stole customers’ login credentials or hijacked their active online banking sessions and then attempted to transfer money from their accounts.

As part of the project, Mr. Schaufenbuel’s team deployed behavioral analytics-based software that learned to separate normal activity from suspicious activity. That software, combined with related processes that alerted users and locked accounts, has led to dozens of blocked attacks and millions of U.S. dollars in savings each year.

It’s no coincidence that such a pernicious cyber-attack—and such an effective project to counter it—took place in the financial sector. Hackers are concentrating their efforts where the money is: Almost 20 percent of all infections happen in financial services, according to security firm FireEye. That’s particularly true in the United States where, in 2013, 49 percent of the attacks reported and 67 percent of the records exposed occurred, according to the Open Security Foundation and Risk Based Security. The other sectors with the highest infection rates globally are education, energy, healthcare and telecommunications.

Financial scammers now act with the savvy of a master con artist as well as the skill of an insider. The old threat was a hacker stealing whatever he or she could find, but the new one is “someone who understands company operations and processes and where the vulnerabilities are,” says Mr. Bissell, Atlanta, Georgia, USA. “That means the security personnel need to be more sophisticated as to what we defend against.”

It also means that project practitioners must learn lessons from their adversaries, who are evolving quickly to break through project leaders’ defenses. Phishing attacks have grown more dangerous— more targeted, patient and well-constructed.

“There’s been a distinct shift in the behavior of cybercriminals” in the last year, says Peter Sparkes, director of managed security services for Asia Pacific and Japan at security firm Symantec. Hackers are “more patient and have tightened their targeting and sharpened their social engineering. They’ve moved from a ‘spray and pray’ model to a ‘low and slow’ approach.”

“This is going to get worse before it gets better, because cybercrime has gone pro,” says Stu Sjouwerman, CEO of cybersecurity firm KnowBe4, based in Clearwater, Florida, USA.

Learning from the hackers will help project practitioners ensure that their defenses get better sooner: “We’re beginning to share threat intelligence and to pool resources—just like the cyber-criminals do,” Mr. Schaufenbuel says.

Smaller—and Tougher

While recent breaches at large corporations such as Target and Neiman Marcus have grabbed the headlines, smaller does not mean safer. The average impact of a targeted attack on a small or medium-sized business in 2013 was US$92,000, according to security firm Kaspersky Lab.

“The bad guys are businesspeople, too; they go after the lowest-hanging fruit,” Mr. Sjouwerman says.

Some executives have come to understand that fact—especially in the financial sector. Banks “have seen the light,” Mr. Sjouwerman says.

Small and medium-sized U.S. banks have been forced to the forefront of the cyberwars. “Five years ago, the concern was an individual sitting in his basement sending out viruses for a prank, and the response was blocking and tackling—firewall and antivirus,” says Marc Crudgington, PMP, vice president of information security for Woodforest National Bank, The Woodlands, Texas, USA. “Now there are sophisticated criminals and state-sponsored groups trying to disrupt online banking sites and commit serious fraud. Therefore the strategies we employ in response have evolved tremendously as well.”

“A project manager responsible for rolling out a software system has to think about more than just how to use the system or what it can do. You have to think about cybersecurity.”

—Kelly Bissell, Deloitte, Atlanta, Georgia, USA

“Now there are sophisticated criminals and state-sponsored groups trying to disrupt online banking sites and commit serious fraud. Therefore the strategies we employ in response have evolved tremendously as well.”

—Marc Crudgington, PMP, Woodforest National Bank, The Woodlands, Texas, USA

The first step in that evolution, Mr. Schaufenbuel says, is culture. There’s been a substantial strategic shift at his bank and within the financial services sector in general, as management acknowledges the severity of the threat and has made enterprise risk management, including cybersecurity, a priority. Now, Mr. Schaufenbuel gives security briefings at board meetings, and some of the bank’s board members proactively attend cybersecurity conferences aimed specifically at directors.

Woodforest National Bank is in the final stages of a two-year project aimed at complying with the Payment Card Industry (PCI) Security Standards, the regulations for organizations such as Visa and American Express that handle cardholder information. Part of the project involved deploying software and other tools that track all card data leaving the bank’s network and protect cardholder data. Early in the deployment-testing process, Mr. Crudgington’s team identified a problem: Some card data from credit and debit cards was being cached within the web browsers of Woodforest workstations. The team changed the process to ensure that once the browser is closed—at least weekly—the cache is cleared.

Mr. Crudgington views the PCI-compliance project as an opportunity to beef up Woodforest’s security, rather than merely to comply with regulations. He’s taken some PCI-mandated changes, such as hardening the server environment related to PCI, and applied the new standards to all of Woodforest’s servers, including those not affected by the regulations.

“Just because you’re PCI compliant doesn’t mean you’re secure,” says Mr. Crudgington, pointing out that Target was PCI compliant prior to its massive 2013 data breach. “You’ve got to look at making sure you’re protected against the attacks of tomorrow, rather than just doing the minimum to meet regulatory requirements.”

Mr. Crudgington has also overseen a project that implements fraud-prevention tools based on behavioral analytics—an effort aimed at recognizing suspicious activity within the bank’s networks. That way, even when hackers get inside, their work can still be identified and remediated.

“If someone targets and attacks long enough, you’ll get breached. Once that happens, the question is how quickly you react,” Mr. Crudgington says. “These tools are designed to shorten the period between infiltration and detection.”

In addition to launching initiatives that react to real or potential breaches, data-security project teams also test their ability to respond to threats that might happen in the future. Both Woodforest and Midland are part of the Financial Services Information Sharing and Analysis Center, through which U.S. financial institutions share information about attacks. The center regularly launches projects that simulate attacks so member organizations can test their ability to defend themselves.

Project teams can’t just tend to their own defenses, however. They also must consider the data security of the contractors with whom they work. For example, the point of entry for the malware behind the Target breach was a heating-and-cooling-systems vendor.

“If somebody wants to hack a military contractor, they’ll attack the law firm instead. They go after the soft underbelly,” says John Simek, vice president of Sensei Enterprises Inc., a digital forensic IT and information security firm in Fairfax, Virginia, USA.

For project contractors and vendors, “the scope and time are both limited,” Mr. Crudgington says. “You don’t just get our standard access policy and elevated privileges. If the project is only for two weeks, access is provided for two weeks and limited to only what is needed.”

Mr. Crudgington’s security team adjusted its protocols to pare back system access for contractors. In addition, access is provided with contractor account syntax, so Woodforest can quickly tell whether any network activity is coming from a contractor’s computer.

The bank’s many security projects have realized their intended benefits, Mr. Crudgington says. “We track thousands of network events each month. Due to our security posture, the seriousness with which employees take security, and executive and board support, we have been fortunate to avoid any major breaches.”

The Police, Not the Army

In April, Finnish security firm Codenomicon discovered a vulnerability in open-source encryption code. The code had been widely used across the Internet for more than a year, and hackers could have exploited the vulnerability, called Heartbleed, to gain access to staggering amounts of encrypted data. Not only did security pros miss the bug, but there’s no evidence that hackers noticed it, either.

It may have taken more than a year to discover the vulnerability, but once news of the bug was released, project managers around the world flew into action.

One affected organization was AffinityLive, a software company based in San Francisco, California, USA. Its development team was working on a tight product-development deadline when it learned about the Heartbleed vulnerability. Rather than wait for approval, the team decided to halt all work on the vital product-development project and instead make patching Heartbleed its top priority.

“The team made a decision, and it was a defensible decision,” says Geoff McQueen, AffinityLive’s founder and CEO.

“If somebody wants to hack a military contractor, they’ll attack the law firm instead. They go after the soft underbelly.”

—John Simek, Sensei Enterprises Inc., Fairfax, Virginia, USA

It was also the right decision, he adds. Given the green light to focus fully on the bug, the AffinityLive team patched its Heartbleed vulnerability in only 90 minutes, resulting in a delay for the product-development project of less than a day.

The Heartbleed saga offers a crucial lesson for organizations launching data-security initiatives and the project managers overseeing them, according to Ari Takanen, co-founder and chief research officer of Oulu, Finland-based Codenomicon, the firm that discovered the Heartbleed bug.

“There are two sides to security. Yes, there’s deflecting, blocking and defending, but the other side is that you can also build robust, reliable software that cannot be attacked,” Mr. Takanen says. More attention must be paid to “blocking those small holes in the product, rather than building the walls in front,” he says.

“There are two sides to security. Yes, there’s deflecting, blocking and defending, but the other side is that you can also build robust, reliable software that cannot be attacked.”

—Ari Takanen, Codenomicon, Oulu, Finland

The emphasis on robust, hardened software reflects a broader trend within data-security projects. Traditional data-security controls were geared primarily toward keeping intruders out of the company network. Picture an ancient walled city, protected by an army that stood at the gates watching for threats. That’s how firewall, antivirus, intrusion-detection and intrusion-prevention programs function. Those are cornerstone controls, but they don’t constitute a comprehensive strategy because they’re relatively ill-equipped to deal with the rare attack that succeeds in penetrating the outer defenses.

“For the last few years, organizations have focused on building their army but not the internal controls—the police,” says Lawrence Pingree, cybersecurity research director for Gartner, Livermore, California, USA. “Organizations assumed attackers would never get beyond the border, even though it’s inevitable that at some point, they will. We’re talking about the lesson of the Trojan horse from ancient Greece.”

It’s time to move beyond that notion, according to Mr. Bissell: “There are no IT walls anymore. Your data is in the cloud, it’s on the mobile phone and the iPad, and it’s with that vendor you’ve hired to perform a service. The problem is, security hasn’t always evolved that way. The company has to adopt a flexible architecture that’s geared toward devices and relationships and vendors.”

That shift is welcome news for project managers, whose multifaceted teams are often globally dispersed and reliant on cloud computing and mobile devices. Those are core technologies for modern project teams but have been slow to win the affection of IT personnel attempting to keep an organization’s internal network as secure as a fortress.

Mr. Bissell recommends brokering a compromise. He suggests that multidisciplinary cybersecurity teams not only involve non-IT team members to reflect the market, but also have weekly cybersecurity conference calls. And he advises project managers to demonstrate that they’re serious about security concerns.

“Historically, if I was a project manager deploying new software, I cared about features and functions, making sure a task gets done, and I really didn’t think about cybersecurity at all,” Mr. Bissell says. “Today, we need to transform the way we think about operations to include cyber. It’s not just the security guys’ job; it’s about business operations.”

If a team member can access project data through a smartphone or tablet, then that device is a prime target for attackers. “We have a large appetite for mobile gadgets and data consumption, and the lines between business and personal use of these mobile devices have blurred,” Mr. Sparkes says. “What is alarming is that users aren’t recognizing the importance of safeguarding their mobile devices.”

One solution some project teams have deployed is an additional security control: two-factor authentication. This requires team members to present multiple proofs of identity before logging in—not only a password, but also a biometric element or a physical device they own. That way, stolen devices and passwords are rendered less vulnerable because the attacker would also need the device or biometric component.

“We have to say now that we can’t trust any password or device, but we can still trust the users themselves,” says Andrew Kemshall, co-founder and technical director of SecurEnvoy, Reading, England.

However, as the cyberwars have made clear, no defense is impregnable. So in addition to upgrading their cyberdefense tools and strategies, project managers are factoring data-security concerns into their project risk assessments.

A project’s data-security risks “should be addressed from day zero” and then continuously revisited, says Anass El Alaoui El Bahi, PMP, senior IT project manager for Moroccan broadcaster Société Nationale de Radiodiffusion et de Télévision, Rabat, Morocco. He recommends factoring the risk of a breach into a project’s overall risk-breakdown structure and developing controls accordingly.

Mr. Schaufenbuel takes a philosophical stance: “This is destined to be an eternal game of cat and mouse. I never cease to be amazed at the ingenuity of my foes, but I do believe it’s possible for us to reach a stalemate.” PM

PM NETWORK SEPTEMBER 2014 WWW.PMI.ORG