have to think about cybersecurity. It’s both ‘How
do we use this system correctly?’ and also ‘How
could a user use the system in a bad way?’”
Like all project managers involved in cybersecurity
projects, Mr. Schaufenbuel takes a global view of the
problem: “We’re no longer dealing with lone wolves,
but with highly sophisticated criminal syndicates and
even rogue governments with access to vast amounts
of resources, intelligence and talent,” he says.
At his bank, Mr. Schaufenbuel led a three-month project aimed at thwarting account-takeover
attacks. ;e malicious software behind these attacks
wasn’t embedded within the bank’s network, but
rather in customers’ home computers. ;e attackers
stole customers’ login credentials or hijacked their
active online banking sessions and then attempted
to transfer money from their accounts.
As part of the project, Mr. Schaufenbuel’s team
deployed behavioral analytics-based software that
learned to separate normal activity from suspicious
activity. ;at software, combined with related processes that alerted users and locked accounts, has
led to dozens of blocked attacks and millions of U.S.
dollars in savings each year.
It’s no coincidence that such a pernicious cyberattack—and such an e;ective project to counter
it—took place in the ;nancial sector. Hackers are
concentrating their e;orts where the money is:
Almost 20 percent of all infections happen in ;nancial services, according to security ;rm FireEye.
;at’s particularly true in the United States where,
in 2013, 49 percent of the attacks reported and 67
percent of the records exposed occurred, according
to the Open Security Foundation and Risk Based
Security. ;e other sectors with the highest infection
rates globally are education, energy, healthcare and
Financial scammers now act with the savvy of a
master con artist as well as the skill of an insider.
;e old threat was a hacker stealing whatever he or
she could ;nd, but the new one is “someone who
understands company operations and processes
and where the vulnerabilities are,” says Mr. Bissell,
Atlanta, Georgia, USA. “;at means the security
personnel need to be more sophisticated as to what
we defend against.”
It also means that project practitioners must learn
lessons from their adversaries, who are evolving
quickly to break through project leaders’ defenses.
Organizations with the strongest security
models must prioritize collaboration
among business units over mere compliance, according to a McKinsey survey
of 200 enterprises, technology vendors
and government agencies. The resulting checklist can help top teams as they
rethink cybersecurity and green-light IT
projects and programs.
1. Prioritize information assets by business risks. Most organizations lack full
insight into the information they need
to protect, the survey found.
2. Differentiate protection by the
importance of assets. Assigning
levels of controls allows management
to concentrate on the most strategic
3. Integrate security deeply into the
technology environment to achieve
scale. Security isn’t an add-on to
existing projects and programs—it’s
something to be kept front of mind by
4. Deploy active defenses to uncover
attacks proactively. Teams can aggregate and model new information to
spot potential attacks.
5. Test continuously to improve response plans. Running ongoing trainings for teams responsible for diverse
functions can sharpen their ability to
6. Engage frontline personnel to aid
their understanding of valuable information assets. The biggest vulnerabilities are often email and everyday
7. Incorporate cyber resistance into
enterprise-wide risk management
and governance processes.
Assessments of cyberattack risks must be integrated into the organization’s broader