Alpha Serve Blog

We publish articles on different topics related to project management, agile methodology and philosophy, software and application development.

Project Data Security: How to Play on the Safe Side?

In the age when big data rules the universe and information is a hard currency, cybersecurity comes to the foreground. Did you know that the quantity of cybersecurity attacks is growing very fast all over the world? All types of organizations and businesses are vulnerable to crimes which means that project managers should be ready to prevent their catastrophic consequences.
Photo by Josh Hild on Unsplash
Dramatic Stats
  • The economy of cybercrime has run up to nearly $1.5 trillion in yearly profits.

  • 2019 press release by Global Market Insights informs that by 2024 the cybersecurity market value is going to reach the amount of $300 billion.

  • Accenture carried out a global survey and found out that breaches of security have experienced a 67% growth in recent five years.

  • 43% of hacker attacks threaten small businesses as per the report by SCORE.

  • The ACR - 2019 Official Annual Cybercrime Report states that ransomware attacks this year happen every fourteen seconds. Their estimations say that by 2021 this number is going to increase to every eleven seconds.

  • The same source estimates that by 2021 the annual losses of businesses and organizations caused by cybercrimes are going to make $6 trillion.

  • State of the Phish 2018 report by Wombat Security advises that in 2017 76% of businesses were the phishing targets.

  • Juniper Research's Cybercrime together with the Internet of Threats 2018 report declare that by 2023 cybercriminals will annually steal as many as thirty-three billion records.
See more whopping stats at thesslstore.com

With the imminent threat of cybercrime wave, it becomes obvious for smart project managers that they must learn cybersecurity principles. GDPR data privacy reform with its potential penalties of up to £17 million stimulates to secure your projects even more.

This article is aimed to improve your knowledge of security so that you could protect your organization from crippling threats.
What is Business Data Security in Terms of Project Management
The shocking average cost of a breach for a business is £3.2 million not to mention the long-lasting negative impact on brand and company reputation. Still, the experts' predictions as to cyber crimes and data breaches are not optimistic at all.

You see, the situation is serious. The type of project data doesn't matter. The crucial thing is that it must be protected. The scope of a project manager responsibilities must include evaluation of data, identifying its ownership, and the potential effect of the breach.

A project manager must also know the amount and kind of data that might be affected in case of a breach. Highly sensitive data like health records, for instance, must be guarded at any price. That's why you must be aware of the kind of data you are handling.

A project manager should consider the costs of data protection and discuss the matter of covering additional expenses of involving experts and technology with the customer. Providing and maintaining cybersecurity is not cheap but data breaches are far and away expensive.

And don't forget about GDPR non-compliance to which can cost you up to £17 million. If organizations save on data security, they risk more. The only way to avoid trouble is to keep EU citizens data adequately protected.

Cybersecurity must be a priority in every project even if the data you are dealing with is not super sensitive. Nobody wants a project to become an assailable point in the overall company's cybersecurity policy. You never know how many opportunities a project data can open to evil minds.

Most of the customers expect that the contractors are going to take care of security queries and issues if they arise. When a project manager is not knowledgeable about the security solutions used by the company, trust issues with the customer and project delivery delay are highly probable.

We are not calling the project managers to become hackers, just saying that in-depth knowledge of major cybersecurity principles can considerably reduce the hazard of a data breach.

Security professionals believe that integrated well-managed projects are the best way to ensure cybersecurity on that level. That's why it would be smart to opt for project management software that complies to the latest security requirements. For instance, if you are using Jira and Confluence to run your projects, Atlassian vendors offer effective security solutions for each tool. We are talking about their two-factor authentication plugins supporting U2F (more details on this later).

It's very naive for a project manager to assume that every employee understands the necessity of data protection. The team, the customer, and senior managers need to be educated on the ransomware infection consequences. The same applies to security officers. They need to know more about the project to make sure all measures are in place (because sometimes they don't even know if the project exists.)

Remember that the best security stays unnoticed because as a rule, people start to talk about it only when something goes wrong. The common problem with risk planning is that most of the time it is neglected at the project level. Being a responsible project manager means arranging meetups at the very beginning, discussions of possible risks, establishing risk management approach, in a word, making risk planning a part of running a project and its timeline.
Keep Your Project Data Safe in Jira and Confluence
Now you know that cybersecurity is not somebody else's concern. It should be implemented at all levels including the project level of course. It's much easier to ensure cybersecurity when you use safer tools at your work. Atlassian, Jira and Confluence developer shares your security concerns.

Using 2FA for Jira and Confluence guarantees their users:
  • The highest level of privacy. The users can choose themselves what second factor is the most relevant for secure login. They can change this setting any time they wish. They don't need to reveal any personal information.

  • Additional security level for users dealing with ultra-sensitive data. U2F device is a must for certain groups of Jira users. It is needed to protect confidential data against malware attacks, phishing, and session hijacking.

  • Ease of use. The plugin can be quickly installed in only 2 steps. Customer support and secure backup are included.
These powerful tools help big and small teams working in different industries unleash their potential to the fullest. Information is the heart of any business, that's why security is a top priority of Atlassian. They have a transparent security program which lets you feel safe using project management tools and complete even the most complicated projects faster and hassle-free.
What are the Most Common Threats for Business in Terms of Data Safety and What are the Best Ways to Minimize Risks?
This section highlights the most frequent threats you would like to know about and ways to fight back.
Internal Attacks
Maybe it's surprising but you should dread dissatisfied employees the most. Statistics says that internal attacks hang over your information and system all the time. IT staff is the most dangerous as they have all the necessary expertise and access to the networks, information centers, and administrative accounts to bring about large-scale damage.

Counterblast: First of all you need to close all privileged accounts and credentials associated with employees who don't work for the company anymore. Secondly, you need to watch, manage, and control privileged credentials to stop any kind of exploitation. Lastly, it's very helpful to apply protocols and infrastructure to trace, log, and record the activity through privileged accounts. You can set alerts to detect spiteful activity quicker and restrain feasible damage earlier.
Negligent or Ignorant Staff
Workers who are too lazy to come up with a strong password, who don't mind viewing unallowed web resources, click dubious links, and leave their phones unlocked can be considered an immense security impedance due to the irresponsible behavior.

Counterblast: Arrange cybersecurity training for employees to improve their literacy. Explain people that strong passwords include numbers, symbols, upper, and lowercase letters and make them use only strong passwords for all devices. The passwords for each website should be different. It's a good habit to change them every month or a couple of months. Passwords are the basic level of protection. Your security strategy must include validated encryption. Implement multi-factor authentication like RFID, One Time Password (OTP), fingerprint reader, smart card, and retina scanning.
BYOD Policy
When employees use their portable devices for work and access/share corporate data, there is always a risk of exposure.

Counterblast: Educate employees on BYOD policy. Monitor all files that team members download to their or corporate devices. Protect company info and systems access with the help of solutions for mobile devices. Corporate apps and info should be separate on employees-owned devices. You can opt for a hybrid or private cloud to decrease the cybersecurity risks brought by the BYOD trend.
Cloud Applications
Storing your data on a public cloud makes it vulnerable to being accessed by third parties.

Counterblast: To take advantage of the convenience of a public cloud and protect your data from third parties at the same time strong encryption like AES 256-bit should be used. It is an acknowledged standard of crypto security as the solution prevents unauthorized access to the info even if the data is stored on a public cloud.
Unpatched/Unpatchable Devices
Some network devices haven't been designed to be updated upon discovering security vulnerabilities. Or a vulnerability patch has simply not been created for them yet. That creates a weak point in your network which attackers can exploit and gain access to your data. For example, Windows Server 2003 has stopped receiving security updates in 2015, which is a huge problem for companies that still use it.

Counterblast: Set up a vulnerability management technology to keep track of all devices on your network. If a device isn't being updated or patched within a reasonable amount of time, take it offline. If you're using Windows Server 2003, plan out a migration strategy and move on to something more secure. If you lack proficiency in doing so, there's no shame in hiring a professional to assist you.
Outsource Service Providers
A huge amount of companies typically rely on outsourcing to attend their networks. Those third-parties don't always apply security best practices. This makes your network defenseless to attack. Over three-fourths of all data leaks are caused by exploiting the channels for remote access used by such contractors. Even though they do a great job of securing your network from malware, you can't always trust them to keep you safe from a deliberate attack.

Counterblast: If you're outsourcing your network maintenance to a contractor, ensure that they are using appropriate security practices including multi-factor authentication, unique access credentials, set permissions, and running a log of all remote accesses. You should also disable all third-party accounts as soon as they are not needed and keep a close eye on all unsuccessful logins, which are a huge sign meaning a potential attack coming your way.
2-Factor Authentication as One of the Instruments to Protect Data
2FA or two-factor authentication is also known as two-step verification and dual-factor authentication. This security process requires the user to provide two different authentication factors when verifying themselves. More complicated login is applied for better protection of user's credentials along with the resources they are trying to access.

Compared to SFA or single-factor authentication, two-factor authentication guarantees a higher security level. In the case of single-factor authentication, it's enough to input a password to login. While two-factor authentication doesn't rely on passcode solely asking for a second factor, which may take the form of either a security token or some biometric factor, for instance, a facial scan or a fingerprint.

Undoubtedly, two-factor authentication enhances security. It makes impossible for an intruder to successfully pass personality verification knowing only victim's password. No easy access to another's devices and online accounts anymore with additional security control.

In truth, two-factor authentication is not a brand-new technology. It's been around for some time already. Enterprises providing online services have been using it to restrict access to data and systems they consider sensitive. Today 2FA gains popularity very fast. Responsible entrepreneurs protect credentials of their customers from being used by hackers that hunt for password databases or initiating phishing campaigns to steal user passwords.
Key Features of 2FA Plugin as a Solution to Protect Jira/Confluence Data
We have already mentioned above that it's utterly important to secure data on the project level. Read on and get to know essential details of security solution used by Jira/Confluence project management tools for data protection.

Project management tools have no 2FA option built in by default. However, the desired functionality can be easily added with the help of the 2FA plugin. The next generation of secure authentication by Atlassian is the most powerful solution one can find online these days. Moreover, their 2FA: U2F & TOTP plugin is the first on the marketplace that allows using U2F device as the second authentication factor.

It lets you decide on users' login rights, for instance, you define if they have to pass a 2FA in any case or not, and so on.
Main Features
  • Security. All data across your networks, sites, devices, and platforms is reliably protected with foremost encryption (e.g.: TEE, 2048 bit encryption, ECC keys, and more). Two-factor authentication guarantees solid user security.
  • Simplicity. 2FA is easy to integrate and use. For each login the software displays push notifications and facilitates simple and immediate mobile authentication. Your credentials are not stored on a server which ensures even stronger security. You will be surprised by the swift fool-proof implementation of the plugin.
  • Credibility. Customers trust companies that are serious about security matters. That's why control over your on-premise server and protection of all logins both for employees and customers are essential.

  • Protection. Two-factor authentication is so flexible that it adapts to your personal requirements. The next-gen authentication is applicable for all sorts of modern devices be it Mac, iPad, or something else. You don't always need a smartphone to pass the check.
  • Customization. Custom apps (SDK) are easily integrated with multi-factor authentication. This means you can upgrade and secure your app enabling 2FA for any login.
  • Easy restoration. The lost or stolen device (smartphone, desktop PC, whatever) might be frustrating, yet, you have your restoration code and backup ID. This means you will save on additional administration expenses. You simply don't need to pay anything to restore access to your account.

  • On-premise and cloud-based solutions are available. The services are scalable and tailored for companies, web resources, and individual users. You can choose between several available solutions intended for secure operation of your authentication server.
  • You don't need to worry about the security of your credentials with 2FA. 2FA: U2F & TOTP solution is the only one on the market that doesn't transmit and doesn't store your confidential info on a server.
In Conclusion
We hope this article was useful to those businessmen who realize that a breach is more a matter of "when" than a matter of "if". That's why managers at all levels must do their best to minimize the possible impact of a security breach and leak. I.e. to conduct a risk assessment, identify where valuable data resides, find out what controls or procedures are in place to protect it.

You also need to build out a comprehensive incident response, disaster recovery/business continuity plan, determining who will be involved, from IT to legal, to PR, to executive management, and surely test it.

And of course, you should always play on the safe side in order not to leave a single chance to cybercriminals. Use innovative data protection solutions for project management tools you employ.