Boo! You Aren't Paranoid if the Hackers Really ARE Out to Get You

October was National Cybersecurity Awareness Month (a month that should really be twelve months long) and I've been surveying the news and tips on the issue. There are a lot of them, commensurate with the importance of paying attention to what might happen, instead of just going along, la-la-la, until a crisis hits. (We can see how that worked out with the pandemic.)

Here are a few high points:

• Increase online privacy measures. Protect online accounts by implementing multifactor authentication and using strong passwords. Refrain from accessing banking information or making online purchases when connected to an unsecured public network, especially when using work computers.
• Stay secure while WFH. As more employees work virtually during the COVID-19 crisis, they must be vigilant about internet scams and online fraud. Avoid sharing business information with unfamiliar parties or over unsecured networks. Keep the security software on business devices up to date, because only one employee needs to be compromised for an entire organization to experience a data breach.
• Use social media responsibly. Social media can allow scammers and cybercriminals to target you. Do not accept friend requests or click links in messages from strangers. Refrain from posting personal information.

For more online safety tips, visit us at BBB.org, and go to CISA.gov to learn more about National Cyber Security Awareness Month. And, as an added thing to worry about ... Election Day. Read up here on all the ways that hackers can compromise electronic voting, per Scientific American.

The above tips are important for everyone who uses a computer. But those in the project management arena have an even greater responsibility. Project managers, even if outside the IT function, often possess access to sensitive organizational information, from plans and budgets to schedules, security or disaster preparedness information, and the like. Although there isn't a knowledge area for cybersecurity in the project management body of knowledge ... maybe there should be!

Last year at the PMI Global Conference I happened to sit down next to a fellow who has made it his mission to be sure that project managers are up to speed on cybersecurity, first within his own organization, and then more broadly, throughout the profession. Kishen Sridharan, PMP, CSM, is Cybersecurity Partnership & Outreach Executive in the Office of the CISO at investment firm Raymond James.  I touched base with him last week, to get his views on why project managers need cybersecurity training.

Kishen Sridharan: “It is critical, especially for technical project managers, to have cybersecurity training. For any technical implementation, security considerations need to be properly evaluated, addressed, and incorporated into requirements upfront. It is a long standing fact that security requirements incorporated in an implementation cost less than security requirements thought off and implemented afterwards."

He offered the following examples of cybersecurity knowledge that project managers must possess:

• Determining level of encryption necessary for data movement within an application’s ecosystem and beyond
• If data encryption is required, identify where in the architecture the data must be “encrypted” and “decrypted”.
• Implementing a multifactor authentication (MFA) solution and knowledge of the different types of MFA solutions to determine which is appropriate for the implementation. Single factor authentication solutions are no longer acceptable.
• Knowing DevSecOps environment provisioning models and the archetypes associated with model, so that the implementation’s architecture conforms to the archetype.
• Helping promote secure coding in the execution phase of the project such that unnecessary and preventable vulnerabilities are not introduced into the production environment.

I'll leave you with this quote from an article in Forbes:

Because of our daily interaction with connected devices, computers, smartphones, and tablets, it’s important that everyone - from the CEO and software developers to suppliers and employees - to be aware. Everyone can play an important part in keeping information safe.