[hr]Cyber hacking and the breach of information systems security is emerging as one of the top risks to the mining and metals sector. The threats are real and on the rise according to Ernst & Young.[hr]
In fact, our Global Information Security Survey 2013 found that 41% of the mining and metals respondents experienced an increase in external threats over the past 12 months, with 28% experiencing an increase in internal vulnerabilities over the same period.
Criminals are attracted to the sector because of the massive cash flows on investment. They understand the increasing dependence mining and metals has on technology, and are actively looking for ways to threaten the denial of access to data, processes and equipment.
4 reasons for the increase in cyber hacking
- Centralised functions make easier targets
As a result of increasing cost rationalisation, many business functions are being centralised across the supply chain. This has translated into the need for a more sophisticated IT system and network infrastructure to connect the geographically diverse workforce, increasing an organisation’s exposure to, and dependency on, the internet.With the trend toward remote operation to improve cost efficiency, there is a convergence of IT and OT (operations technology). This provides cyber hackers with an access path to the operation systems from the internet. OT systems are inherently less secure as many old systems were not designed with security in mind.
- Government-led cyber attacks
Intelligence agencies and the military of sovereign states, and their funded unofficial affiliates, have become increasingly active in cyber warfare. Their enormous capabilities are being directed at economic warfare and espionage to target key industries, posing a real threat to mining and metals organisations.The objective may be the passive collection of commercially sensitive intelligence to assist national or state-owned companies in contract negotiations. However, the objective may be more sinister, with the use of malware to incapacitate important facilities (made infamous by the Stuxnet attack on the Iranian nuclear facilities).
- The rise of the informal activists
In trying to maintain their social license to operate, mining and metals companies endeavor to meet as many stakeholder demands as they can, but invariably cannot meet them all. Some more militant and extreme activists with unsatisfied demands can turn to hacking. They may disrupt mining and metals companies’ activities, expose confidential information and create communications mischief, such as defacing websites or triggering false announcements.Hactivists’ use of cyber hacking to pursue a political agenda is a real risk in today’s operating environment.
- Formal security programs not widely deployed
Surprisingly, 44% of the mining and metals survey respondents indicated that their organisations do not have a threat intelligence program in place and 38% have only an informal one in place. This leaves them completely unprepared to identify a cyber hacking or an information security threat.It also means these organisations would not have the benefit of experiencing an early warning or of being prepared for any breaches, potentially increasing the impact.
Addressing the threats head on
The effectiveness of information security is important, and with only a small percentage of mining and metals respondents (18%) seeing that it fully meets the organisation’s needs, there is a long way to go in protecting organisations from these threats.
There is usually not an organisation-wide risk management approach to these threats. Often, it is viewed as an information systems security issue, and therefore the threat is narrowly defined and not widely embraced.A top-down approach needs to be taken to these threats in order for countermeasures to be effectively taken. The executive level needs to understand and address this issue to get both the budget and buy-in to ensure information and operational security.
Steps to combat cyber hacking and bolster information security
- Making information security a boardlevel and senior management priority
- Developing an integrated strategy around corporate objectives, and considering the whole risk landscape
- Using data analytics to test the risk landscape and better understand the data/systems you need to protect the most
- Identifying the potential interest groups who would benefit from access to your organisation’s systems and information
- Assessing the current systems and understanding their vulnerabilities and where a breach could likely occur
- Understanding the laws and regulations that help protect your organisation from a cyber attack and building a relationship with the agencies that enforce them
- Creating a cyber threat or attack response protocol
- Using a three- to five-year horizon for budgeting to enable long-term planning
- Creating a working team across the organisation that includes senior management, risk advisors and information systems
- Ensuring accessibility to data across all the organisation’s systems
- Using data analytics to identify potential threats or a pattern of attacks
- Conducting attack and penetration tests more frequently
- Innovate, innovate, innovate
This article first appeared in Mining Uncovered and has been re-published with kind permission of Ernst & Young Global Limited.
“Some more militant and extreme activists with unsatisfied demands can turn to hacking.”