Being ahead of cyber threats
A step-change in the culture and awareness of the cyber risk within the mining and metals sector is needed to resolve the gaping hole that the “human factor” exposes to cyber resilience and preparedness. The urgency becomes more critical when you accept the ideology that it is no longer “if” but “when.”
Organizations need to apply good risk management principles; and this starts with thinking about the issue such as cyber risk, just like a business risk. Understanding the cyber threat landscape is the first and vital foundation step in the change to improve the cyber maturity. In order to address the step-change needed, mining and metals companies need to have a clear plan that forms part of their digital road map and risk management plan.
The first step is to establish a baseline of basic cyber controls. This baseline, supported by a risk-based approach to prioritize strategic and long-term cyber investment, should be aligned with the organizations’ top cyber threat scenarios.
Four key cyber threats are ever-present within mining and metals organizations that can significantly impact your operations:
- Enterprise IT and business applications: Threats associated with the global IT network, IT managed services provider, ERP, and key on-premise or cloud-based solutions that enable end user productivity, data storage and compute. Compromises in these systems often lead to “priority one” incidents that need immediate attention and recovery.
- Treasury, financial and commodity trading: Significant cash disbursements (by value and volume) to JV partners, suppliers, government agencies, inter or intra companies and commodity customers are synonymous with the mining industry. With the rise in CEO-, CFO- and AP-scams and spear-phishing, the occurrence of cyber-enabled crime or fraudulent payments is a real threat.
- Commercially sensitive and personal data: The increase in data breach notification requirements and the rapid pace of online media reporting has meant that all businesses need to pay greater attention to protect sensitive and personal data. For the mining and metals sector, this often translates to personal information within HR, medical hygiene, HSE and contractor management systems, and commercially-sensitive information on senior end-user devices and cloud-based data repositories.
- Operational technology: The emerging OT cyber threats are evolving and at the forefront of boards, executives and regulators for asset intensive industries. This typically starts with the mission critical OT systems at operational sites, processing plants, and utilities; followed by key IT and OT networks and systems enabling integrated operations, remote monitoring and control, and production sensitive planning and decision support.
To enable this, organizations should adopt a cybersecurity framework for the consistent identification of critical cyber control gaps, threats and actions required to achieve the target risk profile. We believe that irrespectively of the framework adopted, a risk-based approach should be taken, which is fit for purpose, adopts a balance between “protect” and “react,” and meets the operational requirements of an organization.
The following is a robust cyber threat approach:
Identify the real risks: map out critical assets across systems and businesses
Prioritize what matters most: assume breaches will occur and improve controls and processes to identify, protect, detect, respond and recover from attacks
Govern and monitor performance: regularly assess performance and residual risk position
Optimize investments: accept manageable risks where budget is not available
Enable business performance: make security everyone’s responsibility
Focus on boards
Boards are taking an increasingly active role in addressing the risks that cybersecurity risks posed to their business. There is an increasing demand on management to generate reporting, metrics and insight that provide visibility and assurance over the management of cybersecurity risks.
Most organizations struggle with understanding what to report to the board. This is indicative of the traditional reporting mindset that tends to focus on informing tactical decision-making and reporting on current progress. Instead, board reporting should seek to combine tangible and quantifiable metrics that demonstrate the outcomes resulting from recent key decisions and the performance of the current control environment.
Ultimately, to enable effective decision-making, a successful cybersecurity reporting framework must provide the board with a clear and continuous view of the organization’s current cyber risk exposure.
To encourage this paradigm shift, boards should apply a risk-focused mindset to transform the questions they ask of management.