Cybercrime is real. It's real in the big data services we use, it's real in the big stores we buy our groceries and household items in, and it's real on the projects that we manage.


Cybercrime is becoming such a common occurrence. Too many of us have to hear about and become familiar with the Deep Web sooner than I ever dreamed we would. I heard Charlie Miller and Chris Valasek – the presenters at Black Hat who hacked a 2014 Jeep Cherokee’s onboard computer sparking a massive vehicle recall – say that “everything is hackable.” And it is. If you think you’re safe then you’re likely next if you have anything of valuable personally or professionally.


What are the costs of cybercrime?


With all these cybercrimes that include database breaches of government personnel identities, big box store credit card numbers and customer data, and fingerprint databases that number in the millions, who pays? What costs are incurred?


From a high-level, the costs – at a minimum – are:

• Lost customers for the big box stores that were hit in the past 1-2 years
• Lawsuits and settlements for those customers affected by the breaches on these stores’ databases
• Individuals who have to fix identities and get new cards and personal information issued
• Corporations paying large dollars for cybercrime insurance (more on this below)
• Corporations paying handsomely for risk and cybercrime prevention planning and consulting

Cybercrime insurance – an interesting new twist


There are always opportunists out there looking to capitalize on the latest victims and cybercrime is no exception. Cybersecurity insurance seems to be the rage these days. Lloyds of London – those insurers who cover Keith Richards’ fingers and your favorite college quarterback’s arm who decides to stay in college one more year – are big into cybersecurity insurance. The problem is, they are insuring the loss - insurance against data loss, malware and service attacks, data breached and cybercrime – not helping prevent cybercrime in anyway.


Focusing on the consequences, not the causes


So, who pays? Well, consumers pay, I guess. Chubb – a leading provider of insurance coverage – also offers insurance against cybercrime…as do most large carriers and many smaller insurers popping up and entering the lucrative cybercrime insurance market. Companies seeking out insurance against cybercrimes are focusing on the consequences of cybercrime, not the causes, by purchasing liability and errors-and-omissions insurance.


As Chubb states, “Unfortunately, many companies don’t realize that whether they experience a data security breach isn’t as much a matter of if it will happen as when. When a security breach happens, you’ll need comprehensive protection from an insurer that specializes in handling cyber risks, offers a full suite of integrated insurance solutions to help minimize gaps in coverage, and understands how to tailor coverage to your business.” Chubb’s insurance covers direct loss, legal liability, and consequential loss resulting from cyber security breaches.


As the cost of cybercrime losses rises and the frequency of cybercrime events also rises, the costs of those payouts will be passed on to consumers of all insurance policies with companies like Chubb. It’s called free enterprise. One such insurer - Marsh & Mclennan - which offers cyber insurance, has estimated that the market for cybercrime insurance doubled last year to as much as $2 billion.


Is C-level representation the answer?


I personally propose a C-level cybersecurity representation now in organizations of any notable size handling any sensitive data and information and running any projects with sensitive data for important clients that they want to keep long term. After all, it only takes one breach for you to lose many customers and gain a certain reputation that you really don’t want to have. And if you’re one of those corporations and you haven’t been hit yet…don’t worry…you will. Given the prevalence of digital terrorism, cyber attacks are a question of when, not if.


Summary / call for input?


What are your experiences with cybercrime? Has your organization been affected? What risk or avoidance measures are you taking or planning to take to guard against cybercrime? Has there been a consideration to make a cybersecurity position a C-level representation?

Watch this - my rundown of the most desirable characteristics of cybersecurity officers for organizations. This position is becoming more necessary and more valuable on a daily basis.
​

I'm starting a new series here on Project Times – a series of articles on PM tools and services. Basically, I want the leaders at these organizations to tell us in their own words “5 Reasons Why” we should be demo'ing or downloading a free trial or purchasing their software to use for some or all of our project related needs.

Think of it as their “elevator speech” if that's all the time they really had to tell you why their software or service is great and you need to check it out.
I did a series like this for several vendors on my site awhile back and many found it to be of great value to them and their search of that right tool to meet their team's needs.. I wanted to bring it to a bigger stage because there are so many new, small, great players in the genre that many of us have never heard of. And many long-established software and service solutions that we had heard of but never tried. Plus, we are living in a world now that has seen the workforce change in terms of needs for remote work, virtual teams and extreme collaboration. You might find your organization's needs will be met by one of these options...

I hope you find this series a rewarding and informative one to follow... I will be contributing new ones every week so keep an eye out for the next one. For now, we will start out with this great offering from MindGenius – an organization who I have had the pleasure of knowing and working with off and on for the past 5 years so I can vouch for their personnel and say they fully stand behind their product and for the product itself being something that I find to be being able to fill many needs of PM organizations and infrastructures. In fact, I won't be including vendors who I do not personally feel good about or software I don't believe to be worthy of this series.

5 Reasons Why You Should Consider MindGenius For Your Projects In 2021...

1. Remote Working capabilities – in today’s world remote working is slowly becoming the norm for many organizations. With MindGenius Online you can work with and manage your team remotely and with ease. You can assign your colleagues tasks, give them completion dates and, most importantly, organize your workforce to get the best out of them.

Anything and everything can be hacked. You, me, your top competition, your favorite customers. Everyone. And even if you employ one individual running your security, an entire certified staff of cybercrime experts or a 3rd party outside vendor securing your important data and IT processed, don't let any of them convince you that you are 100% safe. You aren't now and you never will be. The best you can probably hope for is about 90% but those percentages mean nothing when hackers find their way into that small 10% opening that you couldn't cover. Trust me – and you can read this anywhere – the hackers are always one step ahead of us all. Everyone is in reactive mode vs. hackers. You can be in what you believe is proactive mode, but you're still covering ground they've already covered. The best you can hope for is that they won't find you to be an easy target and they'll move on to the next company. Just like our house is well lit and always has at least 2 vehicles sitting in front of it or beside it so we would certainly never be a crime of opportunity...anyone just trying to break in to a house would move on to the next one.


I recently checked back in with most of my current and past clients. What I found surprised me a bit. Nearly one in four - almost 25% - had experienced some sort of hack, data breach or security violation in the past 12 months. Almost 25%. The nice thing is a few are asking for my help in making sure 2016 is safer than 2015...but I have to admit that it was not necessarily the way I wanted new consulting business. However, I will not turn down that kind of experience, research and revenue. At the same time, I wonder what is going to be hit next? What will black hats target next that we haven't even thought of? And what about white hats out there who work hard to expose security flaws and backend openings to prove to governments and software or equipment vendors that they have issues that they aren't aware of but need to patch quickly? Those individuals could be targeted next by cybercriminals...just as was the case on the season (and probably, unfortunately, series) finale of CSI Cyber this past week. This knowledge and software code is worth an inconceivable amount of money in the wrong hands. And it puts lives in danger at the same time.


Back to the issue with the 1 in 4 companies experiencing a security breach and what that could or should mean to you. Nothing or everything...it's your choice. At the very least, I highly recommend the following...


Make cybersecurity a top priority in your risk planning. I know we all think it can't happen to us. And it may not. But if it does, just one cybercrime could cost you countless customers, high costs of identify theft of employee information, or worse....though I'm not sure what that might be. Your risk depends more upon the types of clients you have, the types of projects you run, the industry you operate in, the type of data you handle and the size and complexity of the projects you manage. But any size business can be and is at risk. To omit it from your risk planning is crazy in 2016. I am usually working with small to medium sized businesses though I am periodically running projects as a consultant for very large Fortune 500 organizations and government entities like the Department of Defense and others. And yes, sometimes it does involve sensitive information. Risk planning needs to be part of every project and cybercrime and cybersecurity needs to be considered during every risk planning session.


Hire one staff, a department or a consultant. You can hire one staff, you can create a department, or you can just hire a consultant. But it is imperative, I believe, that you do something to prepare your organization for a cybercrime incident in 2016. It may not happen this year, but it is likely to happen soon and the sooner you bring in staff or designate an individual the sooner you can have that person or group ready and productive. You don't really need a large group of certified individuals. You can operate with just one interested tech lead moving into this role and learning as they go. The information and technology for them to research is everywhere...they can get up to speed fast. Just don't put it off any longer.


Attend Black Hat. Seriously. I've been to Black Hat USA in Las Vegas five years running and it is amazing – both in terms of fascination and in terms of understanding the breadth of the security risks we all face. They call it Black Hat, but it is really much more about White Hat work identifying and reporting on security flaws and what cybercriminals are capable of and what these incredibly skilled hackers have discovered over the past year. If cybersecurity is a concern to you – and it needs to be – then this conference is well worth your time and money. If it makes you plan for and mitigate or avoid one breach because you added it to your risk planning process then it will pay for itself 20 times over.


Summary / call for input


Everyone can be hacked. Do I need to repeat that? Everyone can be hacked. And it will likely get worse – not better. I will not be surprised if I conduct a similar client survey in a couple of years and see that number rise to nearly 50%.


What about our readers? Has your organization experienced a data breach or be the victim of a cybercrime...no matter how small? If so, what was your response? How has it changed your risk planning process. Please share your experiences and discuss.

Short video explaining 4 key challenges that Project Management newcomers can expect to encounter. You've been warned...

Watch this - 5 signs your project may be in trouble. Experiencing any of these?

​

There’s no doubt that we will all be hacked or breached or have our data and identity affected by a breach sooner or later. Most of us already have. I know my Twitter account has been hacked twice and my Facebook account has been hacked at least once. And it seems at least once per week I get a FB friend request from someone I’m already friends with meaning either they’ve been hacked or I’m about to be if I’m stupid enough to accept.


Where am I going with this? I’m pointing out that there are bad people all around us lurking in the shadows meaning to do us harm in a non-physical or non-violent way. They are called hackers and really have nothing against you personally. They are just out to bring chaos to your world, grab sensitive data, possibly sell it or offer it back to you in exchange for money or they just may be doing it all to show that they can. After


If you haven’t been hacked, breached or compromised in some way by a hacker - rest assured you eventually will be and really no amount of avoidance or mitigation planning can completely save you from the affects of hacker actions. Start taking some or all of these steps now to make it happen and keep your organization's corporate head above water, figuratively speaking...


Start somewhere. Please, please, please... start somewhere. It doesn't have to be with a full-fledged cybersecurity staff. But we have to start somewhere. If you are smaller, or a startup or not engaging in large, high visibility, data sensitive projects often, then look for one or more internal resources who are interested in training in cybersecurity and have them take on the part-time or full-time role of cybersecurity lead and have them participate on projects that may need that time of data management, risk evaluation and oversight. Or, if you're smart, you'll have them involved as a part-time resource on every project on an ongoing basis.


Charge everyone to be accountable. Now, I don't mean that everyone in the organization needs to become a cybersecurity expert. Far from it. But they need to have an awareness, an accountability to the company masses and the organization's customer base. Think “bystander apathy” and “bystander awareness.” Don't let the company masses become just bystanders. Get them actively involved in the effort to not leave the organization open to hacking. Think participation rather than hinderance or obstruction. Educate the masses in the organization on the criticality of what it means to have a data risk and breach that potentially cripples the organization and ask everyone to be hyper alert to black hat activities and their own behavior that could cause security holes from an IT perspective.


Make cybersecurity part of every project and customer initiative going forward. Whether you grow a cybersecurity presence and knowledge base from within starting with one more individuals who have an interest or you go full blown with a C-level presence like a Chief Security Officer (CSO), a hired staff of a few cybersecurity certified tech leads and a big staff budget, it is imperative that going forward there is a cybersecurity presence on all data sensitive projects and likely all projects period. This presence may only be during risk identification, but it may also be needed on a weekly basis having a sit-in presence on all weekly project status meetings to offer advice, decision input and to answer staff and customer questions. Trust me, the topic will only be growing in size. And with a project by project security risk presence, there is far less of a chance that something important might fall through the cracks. You never know when a technical decision made by someone less informed could open the organization up to a breach that could be very damaging.


Educate senior management on the probability, liability and exposure. As important as it is to educate the entire enterprise on the cybersecurity risks and enforce awareness and accountability, it is even more important that senior management be aware and buy in to the need for a cybersecurity knowledge base and project involvement within the organization. Funding comes from this group, projects are sometimes prioritized and staffed from this group and as the project teams need to evolve to handle the cybersecurity threats, so does the leadership of the organization. Just as with any program, improvement, or campaign... without the leadership buy in it is going usually fail in the enterprise adoption effort as well. If leadership doesn't back it, it won't usually last.


Compile stats. Try hard to quantify things. From an IT standpoint, you can often tell how many potential breaches have been thwarted by whatever software you have implemented. Include that information in project status reports to teams, clients and senior management. The more benefits you can actually show in numbers – even dollars – the better. This will build fast confidence and buy in to the measure being proposed and taken. Management loves to jump on board with new initiatives that are actually working. And the goal is to show progress fast and early so that enterprise adoption and accountability and participation is a no-brainer and the learning curve is small and behind everyone quickly. Management loves numbers. Customers love numbers – especially positive ones. Figure out how to show numbers and you'll get them on board with the security movement and implementations quickly. And that is important to project protection and survival.


Summary / call for input


The bottom line is this – cybersecurity is an established risk that isn't likely to ever go away. Too many hackers having fun or trying to capture data and identity at the expense of others – sometimes even working to profit from it and not just cause damage. If you have high visibility projects or data sensitive projects or both, you will likely be a future target. We need to be vigilant and prepared.


Readers – what is your take on this list? What experiences have you had with the implementation of a cybersecurity infrastructure? It's rather new to most organizations so any advice we can share will be helpful.

Cybersecurity is an interesting topic – no doubt about it. But it becomes a scary topic if your organization falls victim to a vicious cyberattack that leaves your company's, your clients', or your projects' sensitive data affected or vulnerable. How you are prepared to react and respond may make the difference between no affect, a small affect, or one so costly and high profile it may bring down the company or cost millions to respond to and take corrective action against. If you've been following the large organizations that have been hit – you remember them well because you're first thought was probably “I wonder if I've been affected” because you either shop there, have done business with them, or it's your bank or credit card provider that was hit.


Now that I have your full attention – hopefully - let's consider and discuss what I consider to be five key things you need to know about cybersecurity for yourself, your company and your projects...


It's ok to start small. You don't have to plan out a major cybersecurity response team or infrastructure. Especially if you aren't currently experiencing a major cyber breach major event. What you do need to do is start somewhere and sometime and that time is right now. Whatever someone can do to hack you and your precious employee data or project data or project customer information has already been figured out but you haven't been targeted... yet. Either you aren't on a hacker's radar, or your data isn't important enough yet or whatever. Rest assured that at some point in the not too distant future you will be on their radar


Not if but when. Cybersecurity is not really about “if” you'll need to react, it's more about “when” you'll need to react. Nearly everyone and everything will experience some sort of theft, breach, infection, or infliction of cybercrime or cyberattack in the next decade... and probably sooner. 25% of my own clients – some of which are fairly small – have been affected by a cybersecurity issue in the past two years. The key is to be ready. Hopefully to mitigate, but since that may be futile, at least be ready to respond and fix and close holes and cleanup quickly. You don't need an army of experts to do this – hopefully – but it is best to have one or a few prepared in house to respond and maybe an external expert you've already connected with who could assist depending on the extreme need and available budget.


Read the books - info is abundant. There are books available all the time on cybersecurity. If you are looking to grow an internal staff starting with one or two, then social media and these books are a great way to start. Detailed, expert certification isn't necessary to begin with, just some knowledge, dedicated interest and materials – like books, videos, webinars, seminars, the annual Black Hat conference here in Las Vegas and other locations. All of these will help build awareness and knowledge in your cybersecurity startup staff. Great books, articles and other materials are readily available to help get your response team off the ground and ready – use them.


Start with a consultant. You may not need an expert consultant, but it would be a very good idea to connect with one in case you do. And maybe the expert consultant is the way to go if you're not able to hire or train any staff but would rather pay “through the nose” if and when the need to react to a cybersecurity incident happens. It's not cheap to get an air conditioner repair person on a Sunday in Las Vegas in July when it's 115˚ or a plumber at midnight, and it's not going to be cheap to get an external cybersecurity expert consultant after a breach has occurred. But that may be all you need and whether or not you ever call in an external expert consultant, it's a good idea to have the connection already in place.


It's not always about money. A breach will cost you. You will have to close up the loop somehow and work to ensure that it doesn't happen again. If it happened once it can happen many times. And maybe this time it wasn't about data or revenge or getting sensitive client info or financial info or ransomware. It isn't always about money that someone wants from you or data that they can sell to others. Sometimes you are a random target or it's just about the sport of getting into something you're not supposed to get into. But you must take measures because next time it may be about sensitive data or holding information for ransom. This may have been a test run for something much bigger later. So, the breach – if you experienced one – will cost you so patch it fast and figure out how to not let it happen again... to the best of your ability.


Summary / call for input


I wish I could tell you everything will be alright. True that most people are good, and you really only hear about the bad ones in the news. And there are many good hackers out there – trying to help organizations better prepare by exposing weaknesses and issues – and they are paid handsomely for it. But there are those hackers who are looking to thrive financially or just have fun at your expense. Eventually you are likely to be affected to some degree by one of these and taking some initiative now to be at least ready to respond is your best course of action.


Readers – what are your thoughts? Has your organization – or even your personal self – been affected? How has your organization prepared or responded to concerns of even breaches? Do they see they need to be proactive or just waiting to react as most organizations seem to be doing. Please share and discuss.

Roughly a year into this "new normal," the vast majority of companies are labeling the remote work shift a resounding success — improving productivity and accelerating their digital transformations. But that success comes at a cost: Employees are a whopping 85% more likely to leak sensitive files and data now than they were before the COVID crisis hit, according to the recently released Code42 2021 Data Exposure Report (DER). The report found that 3 in 4 organizations experienced at least one data breach involving the loss of sensitive files in 2020. And while we all read the scary headlines on surging cyberattacks in the wake of the remote work shift, IT security leaders say employees (intentional or otherwise) were the biggest cause of data breaches — ahead of external actors

The biggest change in the IT security world wasn't about where employees were working — it was all about what they’re doing. Workers are connecting remotely (only using the VPN 10% of the time, according to Code42 research), using cloud collaboration and web-based productivity apps to zing files and data back and forth. They're downloading, uploading, emailing, messaging, syncing, sharing, DropBoxing, Google Driving, AirDropping and more — all day, every day. The world will return to normal (someday…), but businesses will hold onto the advantages of a flexible, cloud-collaboration-powered workforce. And that means the Insider Risk problem won't just disappear. The Code42 2021 DER found that 6 in 10 IT security leaders believe Insider Risk will increase, or increase significantly, in the coming years.

A new world of risk — a new paradigm of risk tolerance

The thing is, most CISOs recognize that this shift in the way we work has been percolating for several years now. Organizations are increasingly building competitive advantage through cultures rooted in speed, agility, collaboration and rapid innovation. And this requires a new understanding of risk tolerance — new calculations in balancing the need to empower speed and agility with the need to secure and protect all that fast, agile innovation. The pandemic was just the force accelerator that pushed this paradigm shift past the inflection point. All organizations are now tolerating some level of Insider Risk in order to enable the agility, speed and innovation required to survive and thrive in today’s business climate. Even the U.S. State Department — one of the most conservative, high-security organizations in the country — acknowledged, "We have a risk tolerance now." This has led Gartner to create entirely new category of data security solutions to address this new reality: Insider Risk Management*.

Conventional security infrastructure can't handle the nuance of risk tolerance

For CISOs and IT security leaders, 2020 was a triumph in rapidly adjusting to support remote work and maintain business continuity. But 2020 also laid bare the failure of existing security infrastructure, up and down the stack, to keep up with today's digital workplace. Conventional, policy-based blocking tools like DLP and CASB aren't designed to handle the nuanced game of risk tolerance and Insider Risk Management. Old, black-and-white notions around insider threat prevention are leaving security teams in a lose-lose situation: The 2021 Code42 found most IT security leaders say they’re fielding daily or weekly complaints that employees' legitimate activity is being blocked. At the same time, conventional security tools are leaving blind spots to new ways of moving files and data, and most IT security leaders say they’re not able to see those blind spots.

2021 isn't just for cleaning up — it’s a chance to plan for what’s next

As they clean up the data security risks of the reactive strategies put in place in 2020, security teams should be careful not to take a similarly ad hoc approach to plugging the gaps. We all need to work toward forward-thinking security postures that can keep up with the fast-moving, collaboration-driven culture C-suites are fostering. Security teams need technologies and processes to better identify risky behaviors without inhibiting collaborative culture and employee productivity. We need technologies that flag Insider Risk indicators, such as working off-hours, changing file extensions, having access to the files of a highly confidential project or resigning from the organization.
​
The key is context. The new paradigm of Insider Risk Management is all about nuance, and security teams need to see the context — around the data, the vector and the user — in order to walk the line between managing Insider Risk and enabling the speed and agility that are critical for their business.

Every feel pressure as a project manager? Some of the time? All of the time? I hope you’re not actually feeling stressed and under pressure 100% of the time – I for one actually do find project management enjoyable much of the time. But it certainly does have its many stressful moments.


Issues are a way of life. But when several critical issues hit at once or we have one of those show-stopping moments on one of our projects – those are the times when we feel the most pressure…when it’s really tempting to hit the panic button or proclaim that the ‘sky is falling!’


Primarily by just learning on my feet, I’ve figured out that in order to stay focused during these critical pressure situations I need to use these three methods to effectively deal with what’s going on and work with my team toward successful resolution….


#1 - Prioritize the issues. An issue can come up that causes critical problems and a decent amount of stress on any project. But often times it’s more than one issue – a series of events or a ‘perfect storm’ of risks and issues hitting at the same time. I’ve found that in order to best handle these, I must prioritize the issues that need to be dealt with. That isn’t a groundbreaking revelation to anyone, I’m sure, but it’s so easy to start attacking several issues at once when you’re in panic mode thinking you’ll get past the critical phase faster. What usually happens is you make little to no progress and you might even create new issues.


Stop, assess, analyze and prioritize the issues. Figure out which ones need addressed first – and if any appear to be of equal importance then attack the ones you can eliminate quickly. Anytime you can quickly shorten the list, that’s a good thing.


#2 - Avoid multi-tasking. As stated in #1, avoid the urge to take on more than one critical issue at once. Too many times we think we can multi-task when we can’t. When we aren’t operating in panic mode it’s fine to multi-task – it’s actually a good thing and it’s expected of skilled, highly productive workers. But when you’re trying to focus on key issues under pressure and make progress toward getting the project back on track, it’s best to attack them one at a time. If not, you may not pay close enough attention to detail, something critical may fall through the cracks, poor decisions may be made, and you may actually create new issues that have to be dealt with by taking action without the extreme focus needed in these high pressure situations.


#3 - Avoid interruptions. Finally, do your best to avoid interruptions when dealing with project issues of a critical nature. Put your team in a war room, lock your office door, announce to everyone that you’re unavailable for ‘x’ amount of time except if someone is bleeding or dying (I use that one on my kids when I’m trying to teach them not to needlessly interrupt when I’m doing something very important). Do whatever you have to do to avoid needless interruptions. The key is to avoid those needless and/or frequent interruptions that can throw you and your team completely off track – turning a one-hour successful brainstorming session into all-day failed operation. If you don’t announce that you are unavailable – but do tell people why and where you are – and make an effort to make yourself unavailable when trying to focus on these issues under pressure and get to a resolution, then you’ll still be inviting the same interruptions that you get every single day that you aren’t even aware are happening.


Summary


We all experience showstoppers or very critical issues on our projects from time to time. Pressure situations are a way of life for the project manager and his team. But how we deal with these situations – the processes we go through to keep our focus on getting through them and handling the stress and the pressure - are often the determining factors of whether the project will fail or succeed.