Cybersecurity has been a matter of global concern for more than several years. The amount of effort that businesses spend on protecting their data is increasing each year. Statistics fall in line with this trend - according to Gartner, global security investments will reach $133.7 billion in 2022.
Business owners, however, aren’t the only ones who should invest in reforming the cybersecurity. Every team member shares the responsibility for data safety, but most importantly, project managers should pay careful attention to security threats and trends.
Let’s take a look at must-know cybersecurity essentials for project managers and go over practical protection measures that can be applied immediately. We share practical hacks from the leaders of the industry and collect unique insights.
Cybersecurity essentials every project manager should know
A project manager has to deal with the essential aspects of project planning and implementation.
Integrate Security at Every Stage
- Defining project requirements on security: a project manager is responsible for determining, documenting, and managing client’s needs and requirements to meet project objectives. What’s more, taking into account additional requirements about security is more essential than ever.
- The technical stage: a project manager outlines the cycle of the project, determining which objectives are first, second, and third priorities and how much time will be invested to achieve each of them. After priorities have been determined, a project manager maps out the project’s execution, determining specific activities that lead to meeting a particular goal.
- Resources: a project manager must compare if the outline plan is realistic and can be achieved with the available means. This includes budget estimation, team management, time management, and risk evaluation.
- Final estimates: the results of this research are presented in the final documents where the end vision of the process is outlined, with precise time- and budget-restricted objectives for delivery.
Security plays a vital role at each stage of project management. All of these steps involve collecting and storing sensitive data, and they also heavily rely on available data. If some of this information would be breached, it would put a considerable strain on all project management processes. Hence, the project manager needs to assure that essential security measures are in place before even moving to the first stage.
Data Security is Serious
Assuring data security is a serious step that is, in fact, a project on its own. It’s a long-term investment that will pay off during the next projects, and should never be put off. Just like in a regular project, you need a clear understanding of what you are dealing with.
We suggest that project managers start by requesting a consult form a company’s financial expert. You need to have a precise ROI that would measure your success in implementing safe practices. Also, it’s good to bring a professional IT development team to the table, so they can walk you through their practices of implementing security in projects.
This preparative stage consists of 4 simple steps:
- Calculate the potential financial effects of a security problem. Break a term of security breach down to clearer categories like phishing, virus, DDOS, and others. You can rely on your competitors’ experience and the company’s previous security records.
- Determine possible channels through which your team could get exposed. Internet connection, email, voice calls, messengers, file transfers, file servers, website data, CRM databases - take into account all potentially valuable sources of sensitive data.
- Calculate the essential security costs. Lay out basic security measures that have to be implemented and assign an average cost to each activity.
- Calculate the final ROI.
For instance, you can analyze a possibility in which your project might get infected by the virus. Start by determining the time expenses of dealing with a problem and count how much profit the company lost during that time. For data breaches, take into account reputation damage and the cost of publicity that you would have to create to address public concern.
You can learn the most flexible practices from Scrum and Agile development methodologies and approach security management like a Scrum project. This means, constant communication with team members, multiple project iterations, and clear goals at each step.
Focus on Security at Every Level
In IT or any technology-related projects, cybersecurity is an essential factor that you should take into account. It’s no wonder, then, that there are different levels of corporate IT security. Let’s take a closer look at security areas in IT below:
- General security: this area is in charge of registration and authentication safety, access management, attack prevention, and fire safety;
- Infrastructure security entails the protection of corporate devices and media files, system hardening, and intrusion detection. Here, a project manager considers the ways to prevent the issues rather than dealing with existing ones.
- Communication safety verifies the security of email communication, remote work, instant messengers and voice calls.
- Wireless security - a project manager makes sure that all wireless communication and file transfer, used in the development process, comply with the best security practices.
- Cryptography - all data on the project should be encrypted, as well as confidential communication materials;
- Operational safety - implementing security guidelines and must-use policies for the entire team to follow.
That’s why before you move to the first stage of project management, you have to assure that all levels of security have been protected.
After you’ve determined clear safety objectives and ROIs for each security level, it’s time to move to a risks assessment stage.
Potential Risks Assessment
Your team’s risks heavily depend on the nature of the project and the sources of exposure. Two main variables determine possible threats.
On one hand, you need to analyze and calculate how much data you are storing on your company’s servers and understand what type of data is - financial information, client data, or internal organization files, etc.
On the other hand, you need to sum up all potential exposure sources. The rule of thumb, the more devices and online communication channels you use, the higher the risks that one of them may be penetrated are. However, it shouldn’t lead you to think that using one storage for all files is a better idea - this way, you’ll be practically directing cybercriminals to the only storage of all information. The impact of such a breach would, therefore, be much higher.
So, centralization is not a solution. Instead of decreasing the number of user devices and storage, you should research possible risks and be aware of all used data sources.
The most common areas of security exposure:
- Online transactions - if you work in e-commerce, your clients have to enter their credit card data, connect to banking providers, and provide sensitive personal data. This information has a high value for a cybercriminal and, therefore, requires special protection measures, such as encryption and hashing.
- B2B transactions - this type of financial interaction is especially dangerous because it exposes not just data of one person, but the entire company. The impact of such an attack is exceptionally high.
- Remote cooperation - if you cooperate with remote developers, testers, or any kind of outsourcing providers, you have to ensure that all communication files and transferred data are stored safely.
Project logs provide valuable inside information on access, data storage, confidential data, and market details. If a file, transferred from one employee to another, is hacked in the process, the team risks losing access to the project or having a cybercriminal altering the course of development.
Email communication can be severely endangered by phishing. Malware links and frauds might soon be powered by AI-algorithms and language processing patterns. This means fake emails from bots will look realistic, possibly, even copy the tone of voice of another team member.
To avoid this threat, an employee should know what kind of communication protocols to follow in case an email seems suspicious. You can have an alternative mailbox for each employee - it can be used whenever a team member suspects that the mailbox was compromised. Also, keep track of what kind of files can be attached to emails and Skype messages, and what data should be transferred via secure encryption software.
Our favorite tools for safe file transfer are:
- pCloud Crypto - a cloud transfer service for file encryption and backup.
- Enigmail - an email encryption plugin, developed by a Firefox plugin that encrypts and stores backup copies.
- LastPass - a log-in service that allows people to access online services without demonstrating the password. The login credentials are protected with an SSL-connection.
These tools create a secure environment for fine transfer, authentication, and email encryption and can substitute traditional mail providers.
It’s a responsibility of a project manager to ensure that the team is well aware of security threats and knows how to face potential risks. Here’s our list of three essential practices that can be implemented right away, and which make a drastic difference in digital security.
- Incorporate security training into your onboarding activities
Each new employee should receive guidance on best security practices. A manager should discuss how is the communication conducted, where to store and how to transfer files, and what to do if an employee suspects a data breach.
- Update security policies
Your team should be accustomed to using a security policy - a set of rules that describes all activities related to online security. This policy should describe registration, authentification, internal communication, interactions with clients, VPN usage, and teach employees how to spot a potentially dangerous page.
- Use a learning management system
Cybersecurity should be recognized by your company like a hard skill, and employees should feel rewarded for mastering the competencies. To keep track of their learning practices, conduct all security educational activities in a digital learning system - a platform for education planning and management. You can use software like TalentLMS, Moodle, or eFront - these are popular learning platforms for automation and personalization of the learning processes.
Cybersecurity is an ever-changing field, but its essentials remain crucial to business owners and product managers. Basic security measures like communication encryption or employee training have been safety cornerstones for more than 10 years, and these practices have proven effective.
Of course, project managers should strive to use the benefits provided by AI, machine learning, blockchain, and big data. Each of the stages described in our guide can be enhanced by smart algorithms that would provide tangible data and intelligent insights.
However, the main transformation is not technical, but a mental one. The first step to establishing a secure development environment is understanding the security risks and benefits of digital safety and outlining a clear transformation plan. From that point on, project managers can and should use technology to enhance their vision.
Anna Zvada is the Senior Project Manager at DDI development. Anna is a capable, self motivated individual who has exposure to delivering a lot of projects within tight timeframes and to budget. Creative approaches to project management is her passion.