Threats to cybersecurity should be considered one of the top five business risks in any resource organization. The embarrassment, damage and financial loss caused by recent attacks to large organizations has highlighted both the sophistication and ingenuity of malicious hackers. This has made cybersecurity a key agenda item in many boardrooms.
Good security practices limit the risks of intrusion significantly. In larger organizations, the annual spending on information technology will average between four and five per cent of revenue. A good benchmark for the annual cost of a cybersecurity program is between four and eight per cent of the IT budget. This includes the cost of software, personnel, and capital spending on equipment.
However resource organizations are often inclined to spend a smaller percentage on cybersecurity because of a perception that they are less exposed to risk because there is less customer data to protect. Indeed, in the resource sector, malicious intrusion impacting plant and equipment is the critical threat and can be particularly damaging. Stuxnet, a computer worm that targets the types of industrial control systems used in infrastructure that supports facilities (i.e., oil installations and gas lines), was particularly effective in compromising a power generating plant in Iran in 2010.
A key differentiator between the resource sector and other industries is that resource organizations need to spend comparatively more on protecting their operating assets, and less on the fallout from an intrusion (in terms of legal and customer compensation). For example, Marriott Hotels recently had 500 million customer accounts compromised. That incident in itself probably will not impact the operations of the hotel, but customer loyalty may be affected as a result of the intrusion on personal data, and the fallout could be significant.
So, the question for any resource organization is how much to spend and what to defend. There are three areas to protect: the company’s network, equipment and data.
An organization’s network offers intruders an initial target. The actions of an attacker usually start with a period of reconnaissance to determine the best course of attack, leading to the installation of malicious software on the target’s systems, and the eventual exploitation of valuable data. Early detection of a malicious intruder limits the costs of an attack, so spending on upfront defence systems is a good idea.
Defence equipment tools include firewalls and intrusion detection systems (IDS), which vary in sophistication depending on price. A first line of defence is a firewall, which is a system that monitors what enters and exits the network and stops intrusions. Firewalls have become more complex to counteract the shrewdness of attackers, however, there are many on the market that meet the perceived vulnerabilities of most organizations.
Related: With more mines being connected, how are they being protected?
An IDS actively searches for attempted intrusions and deflects attack by repelling malicious data. Sometimes hackers employ networks of controlled computers (called bots) to perpetrate an intrusion. Purchasing a botnet filter is an effective measure against this.
With the proliferation of personal devices, many current systems of defence look for anomalies in communications between a remote user and local systems. Sophisticated organizations use traps to lure an attacker to a contained part of the system where the attack is neutralized.
All major network gear manufacturers provide capable defence equipment and software. In making a selection, resource organizations should consider those with expertise in infrastructure-operating assets.
Management personnel at any resource organization should be educated on the risks of cybersecurity threats and how to adopt a culture of safety. This is well understood in other parts of the operation, so why not information systems?
Here are five key security measures to follow:
1. Value what you are trying to protect. This will dictate how much to spend. Any data, whether operations assets or customer data, that gives you a competitive advantage should be a priority.
2. Each employee has a part to play to safeguard systems and data. Policies and continuous training should reinforce a culture of cyber safety.
3. Restrict access to equipment and data to those who truly need it.
4. Maintain high-quality equipment and up-to-date software. Hackers are more likely to exploit older systems.
5. Have a trained response team ready in the event of an attack.
In summary, investment in systems to counter cyberattacks are essential, but cybersecurity should not be confined to the IT department. As with any business asset, all employees should be responsible for securing data, using it safely, and protecting it against damage or theft. In turn, management has a responsibility to evaluate risk and deploy resources to defend against attack effectively and efficiently.
Bill Ross is a former energy industry executive who leads Vercerta, a consulting practice that specializes in risk-management advice.