Find out how we can help you succeed!
Learn More
What to Send: PM related information that would assist PMs with Leadership, Strategy and Technology. The information can be a short description with the details at the included link. Do not provide advertising related materials.
Where to Send: Submit items of interest to Editor@pminj.org .Review: The information will be reviewed for relevant PM content for the PM community prior to posting.
PMINJ is not responsible for the content or quality of any posted materials.
Gibson, the writer, is credited with coining the term cyberspace, imagines possible futures. President Lincoln was talking about his opponent, but his statement resonates today. DeMusso, his colleagues at Abnormal Security, and their competitors, are working to deliver the future, today. So are the hackers.
Effective project managers, “Alpha Project Managers,” as described by Andy Crowe, don't just complete their projects on time, on spec, and within budget. They also justify projects, often in the Project Charter, in order to secure support from the sponsor. And they don't wait for their management or the project sponsor to come to them and say, “We need a project to solve this problem,” or for the year-end planning process to suggest projects that address significant vulnerabilities. They act decisively when they learn of problems to be solved.
Alpha Project Managers, especially those who work in cybersecurity, sometimes need to go to their managers and project sponsors, saying, “I know this is not on our radar, but we need to address this issue.”
This is information you can use in a proposal or project charter to make the case for evaluating your cyber security environment and subsequently modernizing your cyber infrastructure.
Phishing today is not Tom Sawyer, Huck Finn, and Jim dangling a worm to catch a catfish for lunch.
Phishing is cyber criminals – and state actors in hostile governments – dangling false promises in exchange for your personal information, your intellectual property, or your money. And we are the fish. We, our CEOs, COOs, CFOs, and everyone in our organizations. Our technical people and our non-technical staff – especially our management.
Suppose you are managing Information Technology Infrastructure projects. Your company has a traditional signature based anti-virus system, a firewall between the Internet and your internal network, and a Virtual Private Network, VPN, for your mobile workforce. You know this is a solid foundation. However, even with multi-factor authentication, MFA, and website filtering, aka DNS filtering, if your computers are connected to the Internet, then your computers are vulnerable.
And exploits are costly.
A contractor at a university hospital has just completed $3.5 Million of work on a major project. They sent an invoice. An attacker, who had penetrated the hospital's email environment with a credential phishing attack, was waiting. The criminal hacker had also plagiarized the vendor's web site, stolen their logo, and had an offshore bank account. His plan was to get that $3.5 million. Immediately before the close of business on a Friday night the cyber criminal called the hospital, got someone from accounts payable on the phone, and was pleading, cajoling, and demanding, as the vendor, that the hospital send payment NOW! via wire transfer to this new bank account.
Fortunately for the hospital, a cyber security researcher was on the scene, virtually. He knew about the cyber criminal. He reached out to the CISO. They retraced the cyber criminal's steps, then reached out to the CFO, stopped the payment, and saved the hospital $3.5 Million.
According to the Ponemon Institute, a cybersecurity consultancy, Cost of Phishing August, 2021, (https://www.proofpoint.com/us/resources/analyst-reports/ponemon-cost-of-phishing-study) the costs of addressing Business Email Compromise, BEC, is close to $6.0 Million per event. Addressing and containing other types of compromise are also high and rising.
As summarized in table 1, below, these have increased dramatically since 2015.
Cost of Cleaning Up After Various Attacks
Table 1. Ponemon Institute, Cost of Phishing August, 2021
(https://www.proofpoint.com/us/resources/analyst-reports/ponemon-cost-of-phishing-study)
These don't include the cost of lost business, damage to the company's reputation, going out of business, or damage to national security.
As documented by Virgil in The Aeneid, at the end of a 10 year siege, about 3,200 years ago, Greek forces, led by Odysseus, built a large wooden horse outside Troy. Then they appeared to leave. Hidden inside the horse, Odysseus and his warriors waited. The Trojans, believing that the Greeks had given up and gone home, towed the horse inside their city as a trophy, as the spoils of war. Night fell. Under the cover of darkness, Odysseus and his team emerged from the horse and opened the gates to the city. The Greek army, which never really left, entered the gates, sacked the city, and won the war.
The Greeks tricked the Trojans into “capturing” their horse and bringing the enemy literally inside the gates. This may have been the first social engineering attack in recorded history, Unfortunately, just like the people of ancient Troy, we, our bosses, and our colleagues are the targets.
Suppose a member of your accounts payable receives an email from an executive:
Hi,
Oddly, the email is not from Jim's internal corporate email address, it's from J1M.56732@gmail.com – J 1 M. And James Smith, the CEO, is always referred to as James, never Jim.
Or,
As with “Jim's” email this is not from Joe@LXQ.com; from a real vendor at his real email address; it is from someone engaged in a criminal hoax. Plus, vendors sending actual invoices are unlikely to address them to “Dear Friend.”
Or suppose someone in your HR department receives an email message from a staff member,
A good HR staffer will want to help Tom get paid to the right bank. But it's not from Tom's internal email, it's from T0M.8843@Yahoo.com – T zero M. it's really not from Tom.
Most of us, without reading too carefully, would recognize these as phishing most of the time. But we might slip when we have hundreds of unread emails, when we have to configure payroll by the end of the business day, or when we have a stack of bills that need to be paid. It's easy to make a mistake.
We can train our users to identify these kinds of attacks. But as was the case in ancient Troy, our mistakes can be catastrophic. Unlike the Trojans, we have tools at our disposal to combat these kinds of attacks. We have software that looks inside emails for “Trojan Horses” and identifies phishing emails. These software tools use Artificial Intelligence, AI, and Machine Learning, ML.
Training tools include services from KnowBe4, MimeCast, Proofpoint, and others. Detection and remediation tools include software from Abnormal Security, IronScales, Mimecast, and Proofpoint, and others.
Training tools include instructional videos and simulated phishing attack emails. The users watch a short video, generally 10 to 15 minutes long, and answer a few questions. Administrators define the email frequency, subject, and difficulty of the phishing simulation emails. When a user responds to a simulated phishing email by reporting the message as “Phishing” he or she is praised. When he or she responds by clicking the link in they recieve a notification that “This was a Phishing Test.” Some companies opt for simulation emails every six (6) to eight (8) weeks. You have to strike a balance between keeping users alert and wasting their time. You can customize the Phishing Tests, choosing between categories such as Covid, or Executives spoofs, like, “Hey, this is me, your CEO. Please buy me some gift cards, but I'm traveling, so mail them to me at my hotel in Singapore.”
When alert, we subconsciously analyze inbound email messages and evaluate them according to various characteristics.
The Trojans got one horse, and it cost them dearly. We get 50 to 100 emails per day. Aside from legitimate emails from salespeople trying to sell us things, we may get five or 10 phishing emails trying to steal money or information. One email to the wrong person; to someone who is tired, overworked, and not focused, can cost your company $Hundreds of Thousands, even $Millions.
Fortunately remediation tools are always alert and, using effective AI and ML, these tools look at the characteristics outlined above to identify Business Email Compromise, Credential Phishing, phony vendor messages, and other attacks. As Abnormal’s DeMusso says, “with advanced AI and ML capabilities available today it is still about finding needles in haystacks; but using metal detectors to find those needles in milliseconds rather than manually examining every inch of every stalk in the haystack. And you don't want to wait to implement an effective system until after you've been attacked and after you have spent $Millions recovering.”
-
As Project Managers, our job is to implement new systems. However, especially when faced with something as important as implementing email security, we need to evaluate competitive systems to determine the best; the most effective. We may also need to persuade the project sponsors that they need to invest in new technologies, including technologies they may never have heard of. The future of the enterprise rests on it. When one company consistently displaces former competition – because the competition allowed attacks to penetrate – you know you have the best.
-
Lawrence Furman, MBA, PMP, has been working in IT for over 20 years, He is currently exploring leadership and innovation in “Adventures in Project Management,” a book he is publishing in 2023.
