Skip to content

Malware in the spotlight: why do crooks love rogue code so much?

Added to your CPD log

View or edit this activity in your CPD log.

Go to My CPD Only APM members have access to CPD features Become a member Already added to CPD log

View or edit this activity in your CPD log.

Go to My CPD
Login to bookmark this
Added to your Saved Content Go to my Saved Content
Gettyimages 607477463

Project management and cybersecurity seem like very different careers, but they face a similar set of frustrating challenges, notably how people who aren't in those careers sometimes perceive them. 

For example, whether you're a project manager or a cybersecurity practitioner, you've probably heard gripes along the lines of, "You don't do any of the actual work. You just tell everyone else what to do, which increases the cost of running the business, but doesn't add value." 

The problem with a project that isn't properly managed, just like the problem of cybersecurity that gets ignored, is that it could have far-reaching consequences for the company, its customers and beyond  

This could mean a huge increase in business costs, alongside a simultaneous decrease in company value, literally and figuratively. 

And when it comes to IT matters, project managers, whether contractors or full-timers, face some of the biggest challenges from cybercriminals. 

To be clear, project management teams aren't alone in this because other groups such as HR and Finance face similar problems. However, as a project manager, you may be a conduit to many more corporate secrets than you think. 

For example, your computer, the data in your online accounts and your email history may inadvertently paint a broader picture of the company's arrangements and activities than most other staff in the business, perhaps even including the senior management team. 

Just to do your job, you probably have access to some or all of: whom the company does business with and how, which deadlines are coming up, who's working on what, what research is going on and whether any regulatory challenges are coming up. 

If you're involved in managing projects that involve multiple contractors and third-party companies, you may have keys to other people's online castles too, such as access codes or data sharing tools for swapping sensitive information automatically with outsiders. 

In short, you need to be least as well-informed about cybersecurity as anyone else in the company, not least because of the dramatic damage that a malware attack against you could cause. 

Malware is a sadly necessary word that is shorthand for malicious software, and cybercriminals are addicted to it, because malicious code can do almost anything. 

Stop for a moment to think what you're allowed to do on your own computer, and then imagine what a cyber-attacker could do with those powers if they were to implant malware to act as their programmatic proxy. 

Amongst other things, you can record keystrokes, take screenshots, activate your microphone and webcam, read your email, manage your backups, install new software, change or delete files, browse the network, review project schedules, join meetings, message people on your contact list and share files via various online services. 

That's more than enough access for industrial espionage, password stealing, data theft, cyberstalking, digital blackmail, ransomware attacks and much more. 

Terrifyingly, perhaps, attackers don't even need to use full-blown apps of their own to commit these cybercrimes. 

Thanks to various useful but nevertheless dangerous tools built into today's operating systems, such as PowerShell on Windows and AppleScript on macOS, short text files of 'activation instructions' known as scripts can operate many of the apps already on your computer as if by remote control. 

Keeping ahead of the crooks, and keeping your eyes and ears open so you can report things that don't seem right, is therefore a vital part of good corporate and internet citizenship. 

 Here are three digital lifestyle tips to stay ahead of the hackers: 

  • Stop. Think. Connect: Many cyberintrusions succeed not because they are sneaky and sophisticated, but because they are simple and unobtrusive enough to catch you out when you're in a hurry, or following old habits. Think before you click; pause before you reply; and be aware before you share.  
  • Humans matter: No matter how advanced your automated threat-blocking software may be, it can't and won't prevent all possible intrusions. Cybercriminals continually adapt their attacks every time we adjust our defences, so if you see something unusual or unexpected, say something. 
  • Fight the good fight: Just like project management, a company's attitude to cybersecurity is an aspect of corporate value to be maximised, not merely a cost to be minimised. Security is a journey, not a destination, so ensure that everyone in your project takes cybersecurity seriously, because even small mistakes can have very broad consequences. 

 

If you would like to hear more advice on cybersecurity, please join us for two APM webinars that will include "don't try this at home" demonstrations, offer actionable advice, and finish with an Ask Me Anything session for any cybersecurity questions you like! 

 

You may also be interested in:

Paul Ducklin
Written byPaul Ducklin

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!

0 comments

Join the conversation!

Log in to post a comment, or create an account if you don't have one already.