In the last eight years, there have been 10 large-scale cyber hacks at mining companies that have caused major damage, including significant data breaches. The bad news? The frequency of these types of attacks is increasing, and fending off hackers in a rapidly changing environment is no easy task.
But on the flip side, companies can make themselves less attractive to cyber attackers. The first step is to determine exactly where they’re vulnerable – before a threat becomes serious. Here are five things companies can do now to proactively ward off cyber threats.
Understand your risk exposure
The entire mining sector – from urban corporate offices to rural mine sites – has a target on its back. Mining giants are attractive to attackers because of their relationships with governments and integration with global supply chains. When attackers are successful, it’s typically because companies simply don’t invest in cyber security like they need to. According to a new EY report Are you protecting the right resources, 76% of companies say they don’t have the budget for comprehensive plans. Given the number of recent breaches, investing in a security system is no longer optional. Competitors, hacktivists and state-sponsored groups all have something to gain once they reach the motherlode.
Identify critical information and assets
Attackers know what they want: confidential information, intellectual property and M&A details. But the biggest threat right now is the industrial control systems – if a hacker is able to control the mine remotely, it puts safety, security and all the mine’s information at risk. Furthermore, hackers can install malware and demand ransoms in order to restore functions. That makes the urgency to resolve the situation and the possible damage accomplished by the attack even more significant. To combat this, security teams need to develop overarching cyber strategies, but also specific strategies to protect operational technology, critical and personal information and a mine’s infrastructure.
Admit weaknesses in current cybersecurity program
Many mining companies admit their security systems are vulnerable to attack. That’s in part because so many of their technologies and systems are integrated. A vulnerability intelligence program is a key tool for finding out how those systems are working together, but only 27% of respondents to EY’s Global information Security Survey say they have one – and almost half (47%) admit they can’t detect a sophisticated attack.
Map out priorities
An air-tight cybersecurity plan should focus on:
- Operational technology: This function should work with information technology to make sure the architecture around remote access is well-secured.
- Emerging technologies: Mobile technologies, machinery automation and cloud integration are often adopted quickly, and before they can be tied into cyber security systems. Beware: their ease of use can provide a window of opportunity for hackers.
- M&A: These generate a huge amount of confidential information.
- Security needs to be looped-in early in the process to make sure that information is safe and both companies involved are protected.
- Third party management: Different parts of the supply chain can have fewer security controls and can put the whole ecosystem at risk. History shows us that third party vendors can be used as a launch point into a mining company’s system. Any data generated between two companies needs to be protected, shared and stored securely.
Validate the system is working
Once a security system is implemented it needs to be monitored by the entire team: security leaders, senior management, risk advisors and information systems. One of the most effective ways to do this is through regular attack and penetration tests. And, just like any other piece of equipment, security systems need maintenance and quality control. Any upgrades can be anticipated and implemented in a cost-efficient way.
Almost every year, we find cyber security to be a top risk to the mining and metals sector – a risk that isn’t going away any time soon. The threats are real, effective and on the rise. Companies can’t turn a blind eye any longer. They need to make the right investments and allocate the appropriate resources to protect their livelihood and fend off potentially disastrous cyber attacks, before it’s too late.
Abhay Raman is EY’s Cyber Risk Services Leader.