IT specialist using virtual dashboard in Data Center

Cybersecurity and metals and minerals: striking a delicate balance

A recent metals and minerals cybersecurity roundtable opened doors and invited discussion on some of the industry’s biggest challenges.


In brief
  • As metals and minerals evolve to secure their leadership position, the sector’s attack surface is drawing attention, with cybersecurity incidents on the rise.
  • We hosted a group of cybersecurity professionals from leading organizations, opening up dialogue around some of cybersecurity’s hottest topics.
  • The discussion on AI risks, incident response and the impact of human error created a valuable exchange with clear action items and takeaways for attendees.

With cybercrime topping headlines and technologies used by threat actors advancing each day, sometimes a village is just what’s needed to help safeguard businesses and combat the risks to stay a step ahead.

Recently, an EY-hosted roundtable “meeting of minds” brought together a group of cybersecurity leaders representing some of the most innovative metals and minerals organizations to exchange experiences, learn from one another’s challenges and establish a network to draw from as the threat landscape continues to surge and corporate programs evolve to keep pace.

On the agenda? Leveraging artificial intelligence (AI) to enhance operational efficiency and security, sharing best practices for incident response and compliance and the latest strategies for preventing fraud stemming from human error.

Cybercrime is expected to cost companies $10.5 trillion globally in 2025,1 a number expected to climb to almost $14 trillion by 2028.2 The average ransomware payout almost doubled in one year, from $812,380 in 2022 to $1,542,333 in 2023.3 And businesses shelled out an average of $4.88 million last year to address data breaches.4

 

The numbers are daunting. Whether you’re in Canada or Cameroon, mining gold and diamonds or extracting potash and gravel, no metals and minerals organization is completely safe from attack. But through collaboration and shared insights, the industry can keep its ear to the ground, focus on proven defense strategies, close the gap on vulnerabilities and minimize attack surfaces, adding an extra layer of protection to already sound cybersecurity action plans.

 

New horizons in AI

 

There’s no doubt that AI is catalyzing foundational skills in business and across organizational operating models. The ready availability of data is exponentially advancing capabilities, and more businesses are looking to AI to generate value.

 

No longer requiring advanced specialists previously needed to interact with AI, human-executed processes — supported by data and powered by tech — are becoming technology powered by data, with human oversight and governance. Metals and minerals organizations are benefitting from improved productivity, with use cases ranging from exploration and operations to processing, transport, sales and marketing, with AI completing tasks like subsurface geological modeling and viability assessments, core scanning, optimal extraction planning, predictive maintenance environmental impact reduction and so much more.

 

But such interchanges present risk. AI “hallucinations” — incorrect or misleading results generated by AI models — raise valid concerns around accuracy and trust. The appropriate collection and use of data gives rise to questions about the sensitivity of data being made available in the public domain. And with potential new vulnerabilities being unearthed as we rely more heavily on AI to connect dots between IT and operational technology (OT), what do organizations need to do today to ready themselves for the future?

 

Defining solid data governance and management initiatives are a good start. As is AI governance, if we are to expect a positive outcome from any AI initiative. But while roundtable attendees had such security strategies in place, most admitted to approaching scenarios on a case-by-case basis or on a limited scale. Using it to track licenses and contracts, for example, which could take human counterparts months to follow up on. But the possibilities of data leakage and go-forward governance topped their list of concerns.

 

And although shadow AI and the use of ChatGPT are raising eyebrows, most agreed they’d identified and locked down sensitive information but were excited to explore new capabilities — in a controlled environment, stressing the importance of training and awareness for their teams.

 

Phishing emails have become more believable than ever and social engineering or synthetic media, like deep fakes of high-value employees fueled by AI are growing increasingly sophisticated.

Education and communication of the latest cybersecurity tactics is paramount but must work hand-in-hand with the latest controls to prevent organizations from exposure.

Likewise, third-party risk management is a significant concern. Organizations are considering whether they have in-house capabilities to build the tools needed or whether navigating the complex vendor landscape would serve them better when it comes to end-to-end protection.

“The truth is there’s no one-size-fits-all silver bullet for AI,” explains Carlos Perez Chalico, Cybersecurity, Data Protection and Privacy Partner, with EY Canada, adding that chief information security officers (CISOs) need to articulate the value of cybersecurity to the enterprise and instill confidence that they can integrate elements and manage emerging technologies securely. “Companies will have to assess applicability as AI continues to redefine itself, weighing use case against what’s most important to the organization, and controls and tools they have in place against risks to ensure it’s worth it,” Perez Chalico adds.

Response ready

Whether AI is right for an organization is a corporate decision. But a topic that roundtable attendees could uniformly agree on was the need for a solid incident response preparedness plan, with well-laid roles and responsibilities for first responders, particularly when responding to material events. In addition, the need for robust data classification, labeling and data protection to help address security and privacy concerns will be essential for roll out, in tandem with AI programs.

Cyberattacks are in constant motion. With the latest U.S. Securities and Exchange Commission (SEC) disclosure rules requiring that currently undefined material events be reported within four business days to provide investors with useful information, organizational priorities will need to be held up against a comprehensive risk matrix to determine materiality and guide decision-making.

For effectiveness, plans need to be resilient; designed top down with materiality and reporting requirements clearly defined but implemented bottom up so appropriate action can be taken. And, perhaps most importantly, plans must be updated continually to backfill any gaps or vacancies.

Consensus across the board called for a readily accessible cybersecurity incident response plan with necessary playbooks, predetermining reporting and communications parameters, individual responsibilities and outlining the steps in managing different types of crises. Building them cross-functionally with IT, cyber, risk and compliance and operational teams at the table will help ensure that the appropriate controls are in place before an incident occurs.

“Some companies say they have governance and oversight and a pre-incident workflow. That they pressure-test technology to help prepare their teams,” explains EY Canada Cybersecurity Managed Services Practice Leader and Partner, Umang Handa. “But full-blown crises involving groups outside of IT, like legal and regulatory or bigger incidents that have the board pushing for resolution, also need to be simulated to determine the effectiveness of outputs. More regulated sectors have been doing this for some time, but it’s starting to translate to other industries like metals and minerals, which may not yet have such plans in place,” Handa adds.

What about relying on playbooks built into tools like Microsoft Sentinel? They’re a good start, Handa believes, but if an incident comes up, how quickly can they be located? Do teams across the business know who to contact and what actions need to be put into place quickly? Are lines of reporting and communication clearly spelled out?

While technologies can make the planning process easier, out-of-the-box offerings still require customization. Emergency shutdown procedures in a mine, for example, require local engineers to make a call on whether shuttering is warranted. If all players are dovetailed into the process and part of regular simulations, leadership and office personnel are assured to be on the same page. Should computers be impacted and visibility lost across the miles, or if threat actors infiltrate internal conversations on social platforms like Microsoft Teams and compromise communication, responders can still act with confidence, knowing they’re delivering against agreed-upon plans.

To err is human

In addition to these challenges, best laid cybersecurity plans can still go astray due to human error — often considered the weakest link. It’s no longer just phishing attacks that need to be defended against, but “vishing” — voice-based impersonation — and “smishing” — SMS-based attacks that lure users into sharing credentials or clicking links.

By way of example, let’s say you’ve implemented security controls using layered defenses and launched comprehensive, mandatory cybersecurity risk training for all employees. Your newsletter speaks to the importance of staying vigilant and you simulate phishing emails throughout the year to keep people on their toes.

But an urgent email comes in from the CEO, asking accounting to update a vendor in their system and pay an outstanding invoice. The email looks legitimate, but it’s not the CEO messaging. And not your vendor. Controls didn’t fail — the threat actors simply did their homework and were better able to manipulate based on what they discovered.

Now imagine a caller that sounds like the CEO dials in, asking for a funds transfer. Except it’s a deep fake and the person calling is a scammer. The rise of generative media and deep fakes have led to the emergence of the total control bypass.

When relying on manual human processes such as these, awareness is the first line of defense. The example above was a real lesson learned and shared by a roundtable attendee that got participants thinking differently.

To protect against human error, changing behaviour is key, particularly with an organization’s most vulnerable, privileged or potentially targeted individuals. Human risk assessments can help categorize the cybersecurity level of employees, establish risk profiles and risk scores, and define actions to better secure them — from specialized training to awareness initiatives.


Summary

Crisis management is not new, but today’s triggers are growing harder to predict. Strengthening one’s security posture can save costs, liability and recovery efforts.

Securing AI where it resides demands well-governed processes, policies, roles and standards for usage.

By helping organizations adopt tools such as Microsoft Purview Data Security Posture Management (DSPM) and DSPM for AI, and monitor security events by proactively hunting, detecting and mitigating threats through managed detection and response (MDR) services, we're pairing deep metals and minerals experience with insights to help your teams focus on what matters most - shaping your future with confidence.

About this article

Related articles

Mining, metals and aggregates: powering future development in the US

The US MMA sector is driving energy transition, boosting economic growth, creating jobs and fostering innovation for future competitiveness.

05 May 2025 Theo Yameogo

Unlocking value in mining capital projects: the role of digital

Explore how digital technologies like AWP, BIM, GIS, and digital twin optimize mining capital projects, improving efficiency, safety, and timely delivery.

05 Feb 2025 EY Americas

No time to waste: metals and mining organizations must dig deep to stay ahead of cyber threats

Will the increased adoption of technology entice cyber criminals looking to cash in on metals and mining companies’ progress?

08 Oct 2024 EY Americas
    You are visiting EY us (en)
    us en