Cybersecurity and metals and minerals: striking a delicate balance

A recent metals and minerals cybersecurity roundtable opened doors and invited discussion on some of the industry’s biggest challenges.

In brief

• As metals and minerals evolve to secure their leadership position, the sector’s attack surface is drawing attention, with cybersecurity incidents on the rise.
• We hosted a group of cybersecurity professionals from leading organizations, opening up dialogue around some of cybersecurity’s hottest topics.
• The discussion on AI risks, incident response and the impact of human error created a valuable exchange with clear action items and takeaways for attendees.

With cybercrime topping headlines and technologies used by threat actors advancing each day, sometimes a village is just what’s needed to help safeguard businesses and combat the risks to stay a step ahead.

Recently, an EY-hosted roundtable “meeting of minds” brought together a group of cybersecurity leaders representing some of the most innovative metals and minerals organizations to exchange experiences, learn from one another’s challenges and establish a network to draw from as the threat landscape continues to surge and corporate programs evolve to keep pace.

On the agenda? Leveraging artificial intelligence (AI) to enhance operational efficiency and security, sharing best practices for incident response and compliance and the latest strategies for preventing fraud stemming from human error.

Education and communication of the latest cybersecurity tactics is paramount but must work hand-in-hand with the latest controls to prevent organizations from exposure.

Likewise, third-party risk management is a significant concern. Organizations are considering whether they have in-house capabilities to build the tools needed or whether navigating the complex vendor landscape would serve them better when it comes to end-to-end protection.

“The truth is there’s no one-size-fits-all silver bullet for AI,” explains Carlos Perez Chalico, Cybersecurity, Data Protection and Privacy Partner, with EY Canada, adding that chief information security officers (CISOs) need to articulate the value of cybersecurity to the enterprise and instill confidence that they can integrate elements and manage emerging technologies securely. “Companies will have to assess applicability as AI continues to redefine itself, weighing use case against what’s most important to the organization, and controls and tools they have in place against risks to ensure it’s worth it,” Perez Chalico adds.

Response ready

Whether AI is right for an organization is a corporate decision. But a topic that roundtable attendees could uniformly agree on was the need for a solid incident response preparedness plan, with well-laid roles and responsibilities for first responders, particularly when responding to material events. In addition, the need for robust data classification, labeling and data protection to help address security and privacy concerns will be essential for roll out, in tandem with AI programs.

Cyberattacks are in constant motion. With the latest U.S. Securities and Exchange Commission (SEC) disclosure rules requiring that currently undefined material events be reported within four business days to provide investors with useful information, organizational priorities will need to be held up against a comprehensive risk matrix to determine materiality and guide decision-making.

For effectiveness, plans need to be resilient; designed top down with materiality and reporting requirements clearly defined but implemented bottom up so appropriate action can be taken. And, perhaps most importantly, plans must be updated continually to backfill any gaps or vacancies.

Consensus across the board called for a readily accessible cybersecurity incident response plan with necessary playbooks, predetermining reporting and communications parameters, individual responsibilities and outlining the steps in managing different types of crises. Building them cross-functionally with IT, cyber, risk and compliance and operational teams at the table will help ensure that the appropriate controls are in place before an incident occurs.

“Some companies say they have governance and oversight and a pre-incident workflow. That they pressure-test technology to help prepare their teams,” explains EY Canada Cybersecurity Managed Services Practice Leader and Partner, Umang Handa. “But full-blown crises involving groups outside of IT, like legal and regulatory or bigger incidents that have the board pushing for resolution, also need to be simulated to determine the effectiveness of outputs. More regulated sectors have been doing this for some time, but it’s starting to translate to other industries like metals and minerals, which may not yet have such plans in place,” Handa adds.

What about relying on playbooks built into tools like Microsoft Sentinel? They’re a good start, Handa believes, but if an incident comes up, how quickly can they be located? Do teams across the business know who to contact and what actions need to be put into place quickly? Are lines of reporting and communication clearly spelled out?

While technologies can make the planning process easier, out-of-the-box offerings still require customization. Emergency shutdown procedures in a mine, for example, require local engineers to make a call on whether shuttering is warranted. If all players are dovetailed into the process and part of regular simulations, leadership and office personnel are assured to be on the same page. Should computers be impacted and visibility lost across the miles, or if threat actors infiltrate internal conversations on social platforms like Microsoft Teams and compromise communication, responders can still act with confidence, knowing they’re delivering against agreed-upon plans.

To err is human

In addition to these challenges, best laid cybersecurity plans can still go astray due to human error — often considered the weakest link. It’s no longer just phishing attacks that need to be defended against, but “vishing” — voice-based impersonation — and “smishing” — SMS-based attacks that lure users into sharing credentials or clicking links.

By way of example, let’s say you’ve implemented security controls using layered defenses and launched comprehensive, mandatory cybersecurity risk training for all employees. Your newsletter speaks to the importance of staying vigilant and you simulate phishing emails throughout the year to keep people on their toes.

But an urgent email comes in from the CEO, asking accounting to update a vendor in their system and pay an outstanding invoice. The email looks legitimate, but it’s not the CEO messaging. And not your vendor. Controls didn’t fail — the threat actors simply did their homework and were better able to manipulate based on what they discovered.

Now imagine a caller that sounds like the CEO dials in, asking for a funds transfer. Except it’s a deep fake and the person calling is a scammer. The rise of generative media and deep fakes have led to the emergence of the total control bypass.

When relying on manual human processes such as these, awareness is the first line of defense. The example above was a real lesson learned and shared by a roundtable attendee that got participants thinking differently.

To protect against human error, changing behaviour is key, particularly with an organization’s most vulnerable, privileged or potentially targeted individuals. Human risk assessments can help categorize the cybersecurity level of employees, establish risk profiles and risk scores, and define actions to better secure them — from specialized training to awareness initiatives.