It seems hardly a week goes by without news of another high-profile cyberattack. The stories that attract the most attention usually involve major retailers or big banks that store personal data. But the risk to mining and metals companies is just as great.
In the recent EY Global Information Security Survey, 55% of energy and resource companies said they experienced a significant cybersecurity incident in the past 12 months. But only 34% of these companies’ boards reported having sufficient cybersecurity knowledge to ensure effective oversight of cyber risks. With cybercriminals showing more sophistication with each passing year, and mining companies quickly becoming more digital, there’s a serious unsustainable gap between boards’ operating and security needs.
Combine that with how dire the consequences of an attack can be – putting everything from employee health and safety, supply chains and brand reputation at risk – miners need a “step change” in thinking.
It starts with the right questions
To be prepared, organizations must apply good risk management principles, and this starts with viewing cyber risk as a business issue – not one that should be relegated to the IT department. Start by asking the following questions:
- Do I understand the cyber threat landscape? No step change is possible unless miners know the unique threats they face, and the vulnerabilities that make their organization susceptible. This is the foundation on which any plan is based and is thus a critical first step.
- Do I have a baseline of cyber controls? This baseline should align with the organization’s top threats and be continually evaluated to ensure controls are effectively protecting high value assets and critical business data (enterprise IT and business applications; treasury, financial and commodity trading; commercially sensitive data; and operational technology).
- Have I developed a cybersecurity framework? This allows businesses to consistently and accurately identify cyber control gaps and threats, and the actions required to achieve the target risk profile.
Foster a culture of cybersecurity
As important as it is to understand the landscape and risk profiles, none of it will amount to much if an organization lacks buy-in at the executive and board level. To be fair, mining organizations face no shortage of competing priorities as they emerge from a prolonged period of sluggish performance.
There are as many places to invest as there are fires to extinguish.
But don’t fall into the trap of approaching cybersecurity as just another line item. By some estimates, 80% of business relationships will be managed without human interaction soon – and mining companies are no exception. Many are currently taking a hard look at the value of automation. Every stage of digitization creates new vulnerabilities to cyber risk. Viewed in this light, cybersecurity must be seen as a business imperative for miners. Without that level of commitment, neither the funding nor internal momentum required for substantial change will take place.
Championing cybersecurity is all about positioning. Make a point of using language that resonates in boardrooms. Business leaders care about business performance, and any perceived risk to the bottom line or that may interfere with mission critical operations will be taken seriously. Viewed in this way, cybersecurity is not an IT risk, but rather an operational risk that warrants serious attention.
Next, come with a plan that lays out clear value at every step.
Demonstrate how progress can be made by not only demonstrating the details of the remediation steps that are in motion, but by articulating the defence in depth approach being taken to protect critical assets and reduce the company’s cyber risk exposure.
Finally, look outside the company walls for allies. Internal budget asks will always be met with some degree of skepticism by leadership, easily dismissed as managers fight for departmental dollars. An assessment conducted by an independent and impartial third party, however, can help lend more weight to the cybersecurity argument and spell out the “why’s and how’s” in more stark and objective terms.
Every organization has the ability to reduce the threat posed by cyber attackers. By drawing up the right plan, carefully implementing it according to priorities and working to build security into the operational mindset, mining companies can stake out a leadership position, and ensure they reap the full rewards now that better times have returned.
YOGEN APPALRAJU is the EY Canada national cybersecurity leader. He is based in Toronto. For more cybersecurity insights, visit www.ey.com/ca/cyber.