From Ransomware to Mobile Malware: Emerging Cybersecurity Risks
Transcript
STEVE HENDERSHOT
The modern digital world is built on data—data collection and storage, data analysis and insight—and also appropriate data sharing. It’s incumbent on every organization to keep its massive amounts of data, much of it personal, safe from outside attacks.
That last part is turning out to be quite the challenge, and it’s the reason why project teams around the world are increasingly focused on cybersecurity initiatives.
NARRATOR
The world is changing fast. And every day, project professionals are turning ideas into reality—delivering value to their organizations and society as a whole. On Projectified®, we’ll help you stay on top of the trends and see what’s ahead for The Project Economy—and your career.
STEVE HENDERSHOT
This is Projectified®. I’m Steve Hendershot.
Data breaches hit organizations hard—the global average total cost of a data breach in 2022 was 4.35 million U.S. dollars, according to IBM Security. But that price tag only begins to describe what’s at stake as organizations strive to protect their data. When a company gets hacked, not only is it costly to repair the immediate damage, but there’s also a deeper cost as partners and customers lose faith in that company’s ability to safeguard sensitive information.
So organizations are getting the message, having project teams take steps to bolster cybersecurity from myriad threats from bad actors such as ransomware extortion, cloud security breaches and mobile malware. Today, we’re speaking with a couple of project leaders involved in those efforts. We’ll start in Singapore. Projectified®’s Hannah LaBelle spoke with Gordon Yan, vice president and IT project manager for cybersecurity projects at OCBC Bank.
MUSICAL TRANSITION
HANNAH LABELLE
Hi Gordon, thanks so much for talking with me today. Let’s start our discussion with threats and responses. What are the biggest cyber threats you’re seeing in your sector, and how is it changing the projects financial services or banking organizations are pursuing?
GORDON YAN
In the context of Singapore, and particularly in the banking industry in the past few years, phishing scams and impersonating scams are the most rampant and damaging cybercrimes that we have seen happening every day.
The regulators have put in more requirements on cybersecurity. For example, in all the banks in Singapore, the real-time payment system allows a user to add recipients immediately and make instant payments after adding that recipient. And because of these phishing scams, a cooling period was imposed by the regulator in only [the] last year, so there was a trade-off between convenience and cybersecurity. As [for] what we have seen, and maybe in the next few years, continued investment on cybersecurity from the public and private sector is still going strong, and cybersecurity is needed to [go] against cyber criminals and threat actors.
HANNAH LABELLE
So how is your organization responding to these threats and regulation changes? Are you seeing a greater focus on or more resources being put toward cybersecurity projects?
GORDON YAN
From the enterprise level, the bank has put up a solid and comprehensive cybersecurity program, and one level down was the cyber defense roadmap defined by our information security office colleagues. Based on this roadmap, we defined the areas of gap potential, new capabilities that we need to uplift ourselves against cyber threats, and also from the cultural, the employee awareness level, just about cybersecurity toolings to uplift ourselves against cyber threats. And in terms of funding and resourcing, definitely there’s more emphasis on investment into cybersecurity projects. We need a lot of resources in order to deliver the projects over a short time frame. One way is to hire 1,500 tech staff from 2022 to 2025, so it would be quite a number of them working for tech-related and cyber-related projects.
HANNAH LABELLE
As we’re talking about responding to changes, what role does artificial intelligence (AI) play in all this? Some teams use AI for threat detection, but as we see more AI tools become available, what does that mean for potential threats?
GORDON YAN
Oh, yes. There’s a rise of AI in the IT area, and to cybersecurity, it can be an opportunity or a potential threat—so it’s either a friend or a foe. From one hand, AI can help cybersecurity [professionals] to do a lot of low-level security monitoring, so that it can reduce a lot of manpower and resources. We can concentrate into more high-skilled cyber defense tasks and jobs. However, on the other hand, we’re also seeing AI being used in these impersonating scams because AI can talk to humans, understand humans better and impersonate [them] better. There’s a phishing scam also going up with the introduction of AI. So to me, it’s a double-edged sword. The whole IT industry is fast-growing, so, likewise for cybersecurity, we need to keep up to speed to defend and safeguard the interest of the organization and customers in that space.
HANNAH LABELLE
OK, now let’s talk about a cybersecurity project you’ve led at OCBC Bank. Walk me through it. What was the project’s goal?
GORDON YAN
In our cybersecurity project, although we are delivering for our stakeholders in the cybersecurity office, we are like any other project under this close or comprehensive scrutiny by cybersecurity assessment. And also because of the nature of cybersecurity projects—which are different from global banking, global payment and trading platforms—we are touching the foundation of everything.
For this particular project, we are deploying some agents into our environment so that we can use a vendor off-shelf product to do a continuous surveillance into our environment to find out whether there’s any security gap, to pick up any weakness. When we come to cybersecurity tooling, it’s agent-based just like our antivirus, data loss prevention agent. It is privileged, quite powerful. It can do a lot of harm when it is compromised. That’s why a lot of evidence gathering from the vendor is required in order to satisfy our stakeholders, satisfy our security assessment officers that this product is good to be launched and good to go live.
HANNAH LABELLE
So how do you manage the risk that comes with these types of projects? Do you have cybersecurity or risk experts that you consult throughout the project?
GORDON YAN
For all our projects run in OCBC Bank, we have a TISO officer from the technology information security office. They have developed a framework of [a] questionnaire, [which] depends on the technology type we deploy to the bank. It comes with more than 100 questions. Some of them in fact originated from the regulators. So we need to answer them with details. Most importantly are the evidence and artifacts, so they are also subject to [an] audit later. In order to get [that] information, one way is to get [it] directly from the vendor, ask them to show us the evidence. The other way is for our own project engineers to get into the system to check and find out. We have a lot of discussions with our vendor because OCBC Bank, it is quite risk-averse, and our risk appetite could be different from other customers. So we still demand for the detailed level of evidence to satisfy our own security assessment posture.
HANNAH LABELLE
When you’re looking at a project like this, what was your project management approach? Would you say that you tailor it based on the initiative?
GORDON YAN
In the past few years, most of my cybersecurity projects or infrastructure projects are delivered using the waterfall approach. However, we adopt some agile good practices, like a definition of done and minimum viable product. I think that’s quite useful in our project delivery, as I mentioned earlier that cybersecurity projects are touching the foundation, and the deployment, the change impact usually is to all end users, or all the endpoint servers, so the impact is quite wide. It is quite important along the way, we need to define what’s the definition of done, deliver the capability, maybe onboard a certain number of users and systems, then recording the success of the project.
HANNAH LABELLE
As a financial institution, customers are looking for a place they can trust to keep their information and their money safe. Did the project we talked about affect customer trust? And how does communicating successful cybersecurity projects and programs further build that trust with customers?
GORDON YAN
One project or two projects alone isn’t good enough to address the cybersecurity risk. It forms a part of a wider cybersecurity program, and it includes a number of functional areas. This particularly gives more confidence and capability to our colleagues in the cybersecurity office, but a more rock solid and comprehensive cybersecurity program on the enterprise level can then reduce the level of enterprise and financial risk and safeguard the customer and shareholder value and trust. That isn’t really very direct and transparent to the customers, but cybersecurity investment, awareness the bank has put in a continuous effort in tackling the risk [and] always communicated and make [it] known to the public—maybe from there, the customer can see the bank’s effort. They have more confidence and trust in the bank in the long run.
MUSICAL TRANSITION
STEVE HENDERSHOT
There has been a lot of talk, including on Projectified®, about how the rise of AI could change people’s jobs, but here’s another angle: Cybercriminals can also use AI applications or chatbots to help with attacks, and that could be a huge headache for cybersecurity teams. Projectified®’s Hannah LaBelle spoke about that and other emerging cyber risks and trends with Mateusz Jasny, cybersecurity director at IT solutions company Comarch in Krakow, Poland.
MUSICAL TRANSITION
HANNAH LABELLE
Mateusz, thanks for joining me today. So, to start us off, when it comes to the cybersecurity threat landscape, what are the biggest threats organizations have to consider?
MATEUSZ JASNY
This really depends on industry size, your geographic location, but APTs, so advanced persistent threats—from a cybersecurity perspective, the bad guys that are organized criminals—I think that’s one of the biggest threats currently. And more and more, I would say professionalization of threat actors, so they just operate like a regular business [and] have big budgets to attack and to basically earn money on stolen data. But also, I would call it specialization on the market.
And I think quite recently the advances in artificial intelligence, especially ChatGPT, now it’s much easier just to prepare the attack, prepare phishing emails, prepare malware or analyze some software in order to find vulnerabilities in it. So, basically, it’s easier and easier to perform more and more advanced attacks.
HANNAH LABELLE
How is that changing the projects that companies are pursuing now and as they’re moving forward, seeing all of this advancement?
MATEUSZ JASNY
From the perspective [of] organizations that choose what projects to pursue, in my opinion, it’s all about flexibility. It’s about the agility. Basically, if it normally takes you a year or half a year to prepare a new security control or to introduce [a] new process or change the process, it’s too long. You need to really work on your agility and flexibility. And you need to think about the architecture of your enterprise and the software that actually supports the processes.
HANNAH LABELLE
Given all of these increased threats, have you seen your organization putting a greater focus on cybersecurity, whether that’s in terms of resourcing or the number of projects that you’re leading or pursuing?
MATEUSZ JASNY
Yes, indeed. But I would say that [it’s] not just [the] organization I work for, but almost everywhere. It’s changing really, really fast. For example, everyone’s afraid of data breaches. A few years ago, it was [a] big headline in the news that some organization lost their data. Now, it’s just every day. So nowadays, everyone needs to really put more budget, more people to protect that.
But also, there’s the other side—the regulators. They also introduced a lot of new laws like GDPR [General Data Protection Regulation] we have in Europe. And now, especially because of the fines you can get for [non]compliance or for data breaches, it’s certainly serious. So it has really changed the landscape of what’s done.
HANNAH LABELLE
When it comes to these types of projects, how are you and project leaders working to identify and mitigate any risks when you’re leading these cybersecurity efforts?
MATEUSZ JASNY
This is a good question, but when I think about this, I don’t see things that are really different from the typical projects we do. One of the interesting things that maybe [is] more cybersecurity related—it’s [the] threat-modeling process. We try to answer the following questions: Who potentially is interested in doing something bad to our projects or to the result of our projects? And then we are thinking [about] what their motives are. And then we need to have some, of course, technical diagrams, but it also can be done without really deep technical knowledge to model the system or something that will be delivered by the project. And then we can answer how the different parts of the systems are interconnect[ed], especially how the systems can be compromised. So it’s a really good technique to find the potential risk to the results of the project.
HANNAH LABELLE
So, Mateusz, what skills or technical knowledge do project managers need to lead cybersecurity projects and programs?
MATEUSZ JASNY
I think that’s the never-ending discussion—if someone who leads the project needs to be an expert or have some specific skills in that area. I came from the more project management world, process management through more compliance projects, and then went into directing cybersecurity. So in my opinion, you have to have this cybersecurity literacy. You need to know the basic things like what’s the confidentiality, how [to] protect your data, what are the threat actors for your projects—things like that you need to know.
You need to have this access to the cybersecurity experts for sure and have this kind of knowledge to know what questions to ask and to understand the answers, especially [to] be able to provide the answers by your own.
HANNAH LABELLE
So these project managers need to have some sort of literacy around cybersecurity, but they also need to be able to work with cybersecurity experts or even law experts as they’re looking at projects for different regions with different laws and regulations they need to follow. So would you say when it comes to specific power skills, like collaborative leadership, are those important along with that literacy?
MATEUSZ JASNY
Yeah, because our projects go through the whole company as we work across all possible stakeholders. So yes, there’s a lot of communication, facilitations skills needed. Of course, talking with IT—and cybersecurity’s not IT also—and especially talking with businesspeople. Salespeople are also important because at the end of the day, they need to also understand and be able to, at least on some level, answer customers’ questions about the cybersecurity posture of their organization, how the data will be protected. So, yep, I would say the facilitation and collaboration skills are really important here.
HANNAH LABELLE
Before we end our discussion, let’s look ahead—what will cybersecurity projects and programs look like in the next couple of years?
MATEUSZ JASNY
For sure, it will be faster and faster—new initiatives, the new threats, and having the agility for the organization to react [in a] more vigilant way. Because, for example, if there is a vulnerability in the software, first the company that provides the software got the information and then works to provide the patch for the software. And then is the moment where it’s announced—there’s a new patch. And then the clock starts because the cybercriminals also got the announcement, and they’re also starting to analyze these patches just to weaponize it to use it in a different way. In previous times, the time was counted in months. Now it’s counted in days or even hours that the new cyber threat comes from such things just like the patching. A lot of automation, artificial intelligence may be some kind of answer here.
HANNAH LABELLE
Mateusz, thank you so much. This has been a great conversation. I really appreciate you talking with me today.
MATEUSZ JASNY
Thank you.
NARRATOR
Thanks for listening to Projectified®. If you like what you heard, please subscribe to the show. And leave a rating or review—we’d love your feedback. To hear more episodes of Projectified®, visit Apple Podcasts, Google Play Music, Stitcher, Spotify or SoundCloud. Or head to PMI.org/podcast.