~ By Brad Egeland
I recently posted some predictions for project management in 2016. One thing I didn't cover was cybercrime and cybersecurity. Cybercrime grew in public awareness and concern between 2014 and 2015, and there seems to be no let up if the number of articles and alerts about it are any indication.
Every year I attend the digital security conference in Las Vegas known as Black Hat USA. It's a hacker's dream conference with many briefings and demonstrations of the greatest digital and technological assaults from the past year. To say it's impressive is an understatement.
Not being anything close to a hacker myself - just a very interested bystander at this event - I've learned one thing for certain: ANYTHING can be hacked. Nothing is sacred - not even medical devices…even the ones inside a person's body - and the hackers are always going to be one or two steps ahead of patches and anti-hacking policies and actions taken by organisations.
We react and fix, but they're already plotting the next intrusion.
So, in terms of project management, what's in store for 2016? Are our projects and data at greater risk than they were in 2015? Are we taking necessary precautions to prepare for these risks? Can we - or do we even know - what they might be?
Let's dive into answering these questions:
My immediate answer for this is, "Who knows?" I don't have a crystal ball. It's like the terrorist activity going on in the world right now. Following Paris, and then San Bernadino in the US, I felt that London was the next obvious target for terrorist activity. That actually was recently the case - though on a smaller and non-deadly scale. But it's nearly impossible to predict unless you happen to be part of the organisations monitoring the Deep Web and social media activity for terror event alerts. The same is true of trying to predict cybersecurity breaches.
It's harder to predict the next cybersecurity breach than it is the next earthquake or volcano eruption. But we can be at least partially prepared through our own dedicated risk planning and management. We cannot cover everything, but we can plan for how we will go into disaster recovery mode. We can plan how we will respond to our customers' concerns and needs.
In my best opinion, from what I'm seeing around us and at conferences, the answer is a definite yes. Hackers and cybercriminals are always looking for their next targets. Sometimes for fun, sometimes for monetary gain.
If you're a big target with valuable data, you could be next. If you're a small organisation and your data has little monetary value, then you're probably safe - for now. But a small organisation whose customer data is compromised stands the risk of going out of business due to losing all its business as a result of customer insecurity.
Probably not. As stated above, we should - at a minimum - be planning risk activity in terms of cybercrime events and how we will react. We should check and re-check our data backup processes and offsite data recovery options should a site or location become compromised or unusable. This is costly, yes, but it can be done at a higher organisational level in a way that's applicable to all projects.
In other words, do it once and do it right. Use that plan for all projects going forward until a certain hack renders those plans unusable. Then go back to the drawing board. Use national and international business and industry security breach events as learning moments and opportunities.
Again, probably not. But as we become more aware, and create policies and possibly even our own cybersecurity infrastructure within our organisations, we can set up repeatable processes and actions that can be taken across all projects and for all incidents.
We need to be aware of the criminal world around us in terms of digital security. Do we need a digital security team in our organisation? Probably. Do we need to hire an expert? Possibly, though many are growing their own talent while they can still stay a bit ahead of the game.
If you aren't handling significantly sensitive data at the moment, then I recommend growing your own security talent from within, utilising the skilled resources you already have who are already familiar with your business processes and client needs. Start it off as a project with a project manager and team. The end solution can be the creation of a two to three member internal cybersecurity team and department.
Whatever you do, complete inaction isn't the answer. While you cannot know what cybersecurity threats lie ahead, you can and should be proactive.
What about your organisation? Are you currently taking specific measures to prevent data breaches on the projects you manage and the customer and internal data you handle? Have you experienced a significant cybersecurity incident? Please share and discuss.