Three actions miners can take to limit growing cybersecurity risks
Mining and metals companies are putting their foot on the gas in the face of economic reopening. As teams address challenges and prepare for optimal efficiency, they cannot ignore a major growing risk: cybersecurity.
There is no denying this increasing threat. The recent EY Global Information Security Survey finds that more than three-quarters of respondents have seen a rise in the number of disruptive cyber attacks in the last year as businesses increasing rely on digital and autonomous tools.
The thing is, as businesses adapt to new digital and online measures, threat actors adapt with them, using new strategies.
And commodity companies certainly aren’t immune. The hackers who shut down the U.S. Colonial Pipeline earlier this year used ransomware-as-a-service that can be found on the dark web. And the individuals who infiltrated SolarWinds in 2020 did so via a sophisticated supply chain attack that was largely unfamiliar to security teams.
For mining and metals companies, there’s a unique set of challenges. Ongoing integration between IT and OT networks, reliance on third parties with less secure networks and limited workforces are all creating new entry points for cybercrime. Many companies also have the added risk of having strategic minerals and commodities that needed for the future and are being targeted as countries race to acquire new world metals.
With the threat landscape evolving so quickly, it’s hard to keep up. Only half of companies in the EY survey say they understand and can anticipate the strategies attackers use. Just one in three are confident in their ability to make the supply chain suitably robust or water-tight against attacks. And, only 9% of boards declare themselves extremely confident that the cybersecurity risks and mitigation measures presented to them can protect the organization from major cyber-attacks.
These gaps and barriers highlight the growing importance of cybersecurity teams working closely with colleagues across the business, in procurement, operations and beyond to identify risks, implement protection measures and address evolving threats. The survey indicates three actions cybersecurity teams can take so they can respond with agility and resiliency.
Reassess alignment with the business: Most respondents to the EY survey admit that cybersecurity teams are not consulted, or are consulted too late, when leadership makes urgent strategic decisions. Even if this does not happen often, it only take one time for a flaw in the defences to be exploited by threat actors. The reality is that many cybersecurity teams lack the required visibility to operate in sync with other functions and pursue a strategy that aligns with the business. To address this, leaders should look to strengthen their engagement with stakeholders, ensure their alignment to core business goals and objectives, and assess their business partners’ satisfaction with the performance and delivery of security services.
Review the talent profile: To respond to organizational challenges, as well as the sophisticated nature of recent high-profile attacks, cybersecurity teams need the support of versatile, multi-skilled professionals. That means companies need individuals with advanced technical skills, as well as the ability to build interdepartmental relationships. They need people with a passion for innovation and growth – who can also detect emerging threats and find flaws in defences. But it’s difficult to find one individual who possesses all these talents. A better approach is to build teams that balance a combination of broad disciplines, understanding each has its own strengths and weaknesses.
Shift everywhere: Cybersecurity teams are familiar with the principle of “shifting left” – i.e. striving to involve cybersecurity earlier on in the transformation and product development lifecycle. However, they now also need to shift north, east, south and west. In practice, this means addressing the concerns of management at the north, focusing on reporting and accountability, as well as budgeting and resource allocation. Shifting the focus east to regulators to prioritize certifications and attestations, along with regulatory mapping. Shift south to enhance standards and testing. And shifting west to focus on security and privacy by design. If teams can position themselves in the centre of these four vital stakeholders, they’ll be in the right place to take their function to the next level of strategic influence.
Giving the cybersecurity function a seat at the table to proactively identify threats can be a vital enabler of growth. By building the right teams and education, mining companies can minimize disruptions to production, damage to equipment or loss of IP – all of which could lead to major financial and reputational losses. In an era posed for significant growth, there’s no time for error. Don’t let an avoidable cyber attack get you down.
YOGEN APPALRAJU is the cybersecurity leader at EY Canada, based in Toronto.