Cybersecurity is becoming an increasingly important consideration for project managers and organizations alike. In June, PMI Toronto heard from leading cybersecurity specialists in both the public and private sector during an engaging virtual discussion about cyber security risks and best practices at the project manager, organizational, and individual level.

Meet Our Guest Speakers

The members of this panel included Robert Knight, Duncan Kwok, and Christopher MacPhee.

 

Robert Knight has over forty years serving as an Officer in the Canadian Armed Forces. He has been a part of the Corps of Communication and then served as a public servant at the Communications Security Establishment specializing in cyber security. He has led many multi-million dollar projects and operations that include the implementation of mission critical electronic warfare capabilities and the development of state-of-the-art cyber sensors and operations cells.

 

 

Duncan Kwok has over ten years of experience within cyber security. He has specialized in cloud security, IAM, application security, and cryptography throughout his career while working for organizations such as Scotiabank, 2Keys, and Thomson Reuters. Duncan has extensive knowledge in security automation, orchestration, and integration, which he has displayed while leading high-performance teams. He is a Zero Trust Security expert.

 

 

ChristopherMacPhee has over thirteen years of experience in the technology and cyber security fields. His strong offensive security knowledge was developed through his experience in SIEM development, application security, threat and vulnerability management, penetration testing, Red Team activities, and incident response. Christopher has gained his experience through his roles with KPMG and TD Canada Trust. He has led many teams including Red Teams, Cyber Rangers, and Breach Simulation Attack platforms.

 

Discussing Cyber Sercurity

Together, Robert, Duncan, and Christopher answered a series of questions about how to keep projects, organizations, and individuals safe from cyber attacks and new risks. The group provided insight into strategies that can be employed to enhance cyber security, they pointed out potential risks to project and organization safety and outlined suggestions at how to raise awareness in organizations. They also pointed resources for project managers to increase the cyber security of their projects. It important to integrate cyber security measures at the start of all projects and build it into all its phases. Prevention, according to the panel, is the most effective means of insurance.

Highlighted below are some key questions and responses from the panel.

What are the biggest IT issues and risks that you see in the near future?

The panel highlighted ransom and log4j vulnerabilities as the greatest new threats to cyber security. Log4j is an open-source logging framework where software developers can log various data within their applications.

Ransomware is a type of malware that, if allowed access to an organization’s system, can steal and publish personal data or permanently block access to the data or information until a ransom is paid to the hackers. Ransomware attacks have held large organizations, like hospitals, oil and pipelines, or banks hostage in the past, while some simple ransomware may lock systems without damaging any files, more advanced malware can damage or delete valuable data or information.

The second threat discussed, Log4j vulnerabilities are quickly replacing ransomware as the most prevalent risk to security.

Ultimately, a cybersecurity risk is anything that can gain unauthorized access to the organizational data. To prevent these risks, the panel highlighted that the best practice is to build in security and safety at the onset of the project. If this isn’t possible or isn’t done effectively, another best practice identified was the importance of integrating safety measures where vulnerabilities occur and having some kind of sensing system that monitors the network for breaches and can alert the Information Technology (IT) team immediately when breaches occur.

What are some best practices to prevent security threats at the individual level?

Employees are often the largest threat to system security. Often employees don’t want to admit when they have made a mistake or don’t think it is important to report a suspicious email. To overcome this threat, the panel highlighted the importance of building a culture in which employees are comfortable sharing information and communicating with others about potential risks. Employees should not be afraid of talking to their peers if they receive a suspicious email or aren’t sure about something on their computer. If still uncertain, employees should be encouraged to search online or contact their IT help desk or specialist as soon as possible.

How can organizations raise awareness about cyber security threats for internal staff or externally for the public?

The panel shared four ways of increasing employee awareness.

1. Regular assessment of employees’ knowledge.

> Sending fake ‘phishing’ emails can help employees understand what they do not know and can help IT teams understand their employees’ need for training.

2. Comprehensive training

3. Increase employee engagement in training with gamification and competition between or within organizations.

> This can help make training fun and increase the likelihood of cybersecurity being taken seriously.

4. Have a cyber awareness literacy team

> This can increase awareness of cyber security and the team act as ambassadors within the organization. Together the team can host Lunch & Learns, create job aids, and share knowledge to create a culture of cyber security within the organization. The team can collect data and complete outreach activities to meet the immediate needs of the organization.

What are your biggest lessons learned in the past 2 years regarding cyber security?

Chris shared that as he transitioned into a governance type of role, his views on the importance of checklists has changed. Checklists are often neglected or thought of as not helpful in enhancing cyber security. With his gained understanding of their importance, Chris has been able to enhance the benefit of their use and to implement them effectively into business operations.

Duncan’s largest lesson learned related to the alert systems that organizations use to alert IT specialists to any potential breaches to security. When the system criteria is not narrow enough and various benign threats come across as an alert, the IT team can suffer from alert fatigue, which happens when employees become numb to the alerts and could result in an important alert being missed. His advice was to ensure that the alert criteria is set up in a way that only critical risks come through as alerts.

Robert shared his increased appreciation for communities of practice/interest that can be used by smaller organizations to help protect themselves. Unless you are a large organization, you cannot protect yourself. By joining a community of interest, small organizations can share learning and work to support each other allowing them to get ahead of any potential attacks.

What are some impacts or vulnerabilities of cyber security?

The panel shared that it is important to remember that there is always going to be a next ‘big threat’ and to prepare for these potential threats. Cyber security should be built into regular business practices to reduce the risk of serious problems. Asset management, for example, is essential to good cyber security practice. Organizations should know what they have and where it is so that they can set up appropriate security measures. In addition to good asset management, procedures should be set up to ensure all assets are being scanned regularly to assess for any potential breaches to security or areas of vulnerability.

What are your thoughts on using open-source programs or resources?  What are some advantages and disadvantages or vulnerabilities?

There are pros and cons to using open-source material. First, one of the benefits is cost because you likely will not have to pay for it. However, you will have to pay for someone to support it. The benefit of paying for your own people to support the system is that you can set your own deadlines whereas when you are working with a provider, they may not be able to align with your project dates.

The disadvantages of open-source programs is that the user will have to assume all the vulnerabilities and risk. The open-source code is developed from contributors all around the world, so while you may have access to a strong product, you are going to need to establish a way of testing and monitoring it. Ultimately, when considering the use of open-source material, users should think about the amount of risk they are willing to absorb and how they are going to support its use.

What are the main cyber security threats for organizations undergoing digital transformations and what can be done to mitigate the risks?

The panel shared that most organizations are no longer completing paper to digital transformations but are rather moving their data onto the Cloud. The first thing that organizations should be aware of in this transformation, is the location of their servers. Company servers resemble apartment units in a building. It is possible that an organization's server can be located extremely close to other companies and potentially their competitors, which puts them at higher risk of breach.

The second risk shared relates to the controls used to protect data. The panel explained that in addition to understanding what your provider is doing to protect your server against a multi-tenant attack, organizations should also understand what controls are in place on the server. Another important thing that organizations should understand when transitioning to the Cloud is where the data is being held. For example, a local emergency could cause providers to ship data internationally until their data centres are restored. The movement of data not only creates vulnerability in the system, which poses increased risk, organizations should also consider the legal obligations they hold to their clients about where information is stored and secured.

Concluding Thoughts

The panel reemphasized the importance of building security into projects from the start of project development. They highlighted the importance of including an IT expert in project meetings in the initial planning phases and shared useful resources to support small organizations or project managers in enhancing the cyber security of their projects. Businesses needs should drive compliance standards and the level of security they require.