What MS Project Managers Can Learn from the Equifax Breach

Computer User

The recent and massive data breach at Equifax shows us just how vulnerable we are in many critical ways: from attacks on our personal information to attacks on the very companies that cut our pay checks.

When thinking about safeguarding the companies that we work for, we face millions of collective hacking attempts every day, and this relentless barrage shows no sign of letting up anytime soon. In response, we collectively spend billions each year on IT security and countless hours developing security policies for all employed within to follow.

You may be surprised to learn that for this particular disaster at Equifax, it was just one single task – “go patch a bit of software” – that almost brought down one of the largest data brokerages in America. The breach cost Equifax over 87 million dollars in hundreds of lawsuits to date (as well as the dismissal of an unknown number of execs and project managers alike).

In this case, it was not the forest being missed for the trees, it was a single tree that almost burned the entire company down…

What happened @ Equifax…

What precipitated this disaster was nothing uncommon: a nefarious exploit was engineered by hackers to infiltrate the Apache webserver software used by 38% of all websites on the planet, including the ones at Equifax. This type of hack happens almost every day, with Apache engineers diligently releasing patches to this mission-critical software as fast as exploits are discovered. IT professionals using Apache software are notified of exploits when found. The fix is a no-brainer – just apply a software patch!

As project managers, we are all aware of this type of scenario – our risk mitigation plans have lines that cover this common situation. We have an “If this happens, do this” clause that mitigates any damage to websites.

In the case of the Equifax breach, the “do this” part of the clause was not completed, and that overdue task was not noticed for months – a simple case of a single task missed – long enough for hundreds of millions of customer records to be stolen.

I can hear you all now, “But, how can that possibly happen to me when my plans clearly show me when a task is overdue?”

Well, in the case of Equifax, not clearly enough!

While I have a little insider information on what planning software was used by Equifax before the breach, recent job postings after the breach suggest a single desired skill for new project managers: Microsoft Project experience! I also understand that Equifax uses both the Waterfall and Agile methods in their planning processes, deploying Jira software for the latter, and that it is also known to have difficulty flagging overdue tasks.

So I have to ask, how clearly do your plans flag overdue tasks?

How to avoid a missed-task disaster…

Let’s be honest, most of our Microsoft project plans do not adequately alert us (automatically) when a single critical task is overdue, right? One has to look at a stock schedule to see if any task is late, by comparing the planned finish date to the actual finish date, or by surmising that a less than 100% complete task with a past finish date is late. In other words, we have to actually analyze the plan regularly to determine if we are in trouble or not.

Lesson-learned #1: look at your plans! This may seem like silly advice, but I can’t tell you how many plans I’ve seen that were masterfully created, and then just filed away (worst case) or looked at occasionally and lackadaisically (best case).

Assuming that you are watching your plans attentively for problems, by either manual scanning or deploying a milestone dashboard, let me recommend one more visual indicator that highlights a single missed task: a RAG indicator column.

RAG stands for Red-Amber-Green alert, and is a simple formula inserted into a custom column within your MS Project schedule. It looks like this when implemented:

Figure 1. A RAG indicator deployed in a MS project schedule

As you can see in Figure 1, not much analysis is needed to find a late task, as you only have to recognize the color red as a warning sign. Amber is used to show a potential problem, and green indicates all is well, for now. This formula also uses the color blue to indicate a 100% complete task (i.e. nothing to worry about), just in case your Indicators column is hidden.

And once you have a RAG indicator system to key off, it is super easy to create a custom report that lists all the late tasks – or any of the other task states for that matter. Figure 2 shows what that would look like:

Figure 1. A RAG indicator deployed in a MS project schedule
Figure 2. A custom report showing any late tasks in the plan – for larger plans, this is a one-click way to see them all in one go

You can download the above sample file [1] to see how this RAG system is constructed. Use the Organizer to copy these customizations into any of your own projects.

Leaving no task unturned…

So, lesson-learned #2 is to use automation to alert you of late or problematic tasks, as MS Project standalone is clearly not up for that right out of the box. MS Project Server and Online users have a few great automation tricks at their disposal, such as sending out email alerts for those assigned tasks that are running late, but MS Project Standard users are left to fend for themselves and to reactively do something in this regard.

The point here is to do something! Adding a RAG indicator, setting up filters for late tasks, creating dashboards that show missed milestones, or adding variance columns are all good tricks to deploy. [2]

By leaving no task unturned or otherwise overlooked, you can avoid a potential meltdown as witnessed during the Equifax breach. To do so, put that burden on a bit more artificial intelligence, and not just rely on your own. One thing is clear, Equifax could have used more intelligence, both artificial and human, to ward off what happened.

The need for proactive vs. reactive planning tools…

One last point on the Equifax breach: it is obvious from what unfolded that whatever PM tool was being used, the tool was not proactive enough in warning managers that a critical task had been skipped or was otherwise incomplete and ready to burn down the company. If only there were enough notifications and/or warnings, this entire meltdown may have been easily avoided.

In this day and age, where we get instant and multiple notifications when our Sim City or Candy Crush tasks are late, it’s just crazy that our project-management tools don’t do better than that. In today’s market of online tools, missed critical tasks such as “patch the software dummy” are more often than not, flagged automagically. Those who need to be made aware of critical situations are apprised in super-bright technicolor detail.

Unfortunately, as MS Project standalone users, we have to be reactive by coding in formulas or creating special views to get adequate functionality. It seems to me this should have been an automatic feature from day one, so I urge all MS Project standalone users to make this request known to our Microsoft overlords. That is, give us proactive software, before a missed slipped task spells disaster in one of our very own project plans.

[1] Tutorial_file_with_RAG_filters_and_reports.mpp

[2] See https://www.mpug.com/articles/looking-for-tasks-heading-for-trouble/

Related Content

Webinars (watch for free now!):
Advanced Tips for Resolving Resource Over/Underallocation
Eliminate the Confusion – Deep Dive into Task Types and Effort Driven

Exploratory vs. Explanatory Visuals in Planning
Microsoft Project Do’s and Don’ts: Enter Task Durations
When a Fixed Duration Task is Truly Not “Fixed Duration”

Next Webinar

MPUG's Most Popular Articles of 2017

Written by Jigs Gaton
Jigs Gaton is CEO of Phoenix Consulting and Training Worldwide, a company that helps developers design and implement better programs and build capacity with training and other resources. Jigs has over 30-plus years of experience in both the private and public sectors working as a project manager and PM consultant. He's currently based in Kathmandu, helping organizations with post-earthquake reconstruction and other disaster-relief efforts.
Share This Post
1 Comment
  1. Good point Vfx. But I don’t think you need vba to do that, just create a custom report to show what you want, in the color that you want. You can also exclude Summary tasks there. Add that to your global.MPT, and then the report is just a few clicks away. Best of luck!

Leave a Reply