Mining and metals sector struggling to close cyber maturity gap

London, 26 March 2018

  • Share
  • Cyber risk escalating as mining companies become increasingly digitized
  • Current budgets may not be enough to manage threat to operational technology
  • 55% of energy and resources companies experienced a significant cybersecurity incident in the last year

Increasing connectivity of technology across the mining and metals sector is making it more difficult than ever for companies to keep pace and secure their digital environment, finds the EY report, Does cyber risk only become a priority once you’ve been attacked?

According to the report, 55% of energy and resources companies have experienced a significant cybersecurity incident in the last year, yet 48% of respondents believe it is unlikely that they would be able to detect a sophisticated cyber attack. For asset-intensive industries such as mining and metals, the threat is escalating particularly rapidly due to increasing investment in digital, reliance on automation and heightened connectivity between information technology and less mature operational technology. As a result, the report highlights that the entire supply chain is now at risk.

Michael Rundus, EY Global Mining & Metals Cybersecurity Leader, says:

“Increased adoption of digital technologies to drive productivity across the mining and metals sector has resulted in a growing digital footprint and associated cyber threat profile. We estimate that mining companies are in fact lagging the rest of the energy sector by several years in how they protect operational technology. If companies continue to take an ad hoc approach to cybersecurity, or act when it is too late to manage vulnerabilities, cyber risk could be the downfall of organizations’ productivity gains and digital advancement aspirations.”

The physical security of remote mining and metals operations is no longer sufficient to protect the enterprise, according to the report. Equipment and infrastructure that would traditionally have been disconnected is now integrated to provide greater operational control. Combined with rising system complexity encompassing multiple networks, this has led to further expansion of the attack paths that that can be used by cyber attackers to compromise operations across the whole value chain.

The report also finds that boards are taking an increasingly active role in addressing the growing threat, amid increasing demand on management to provide visibility and assurance relating to cyber risk. However, only 35% of energy and resources companies’ boards have sufficient cybersecurity knowledge for effective oversight of cyber risks, the report finds.

Rundus says: “A cultural step-change in the awareness of cyber risk is required to address increased demand to embed cyber resilience and preparedness. As a first step toward closing the cyber maturity gap, boards need to ensure that they understand the threat landscape and apply a risk-focused mindset to transform the questions they ask of management. But responsibility for managing exposure to risk needs to sit with a broad range of teams across the business to engender a coherent view of the threat environment.”

As mining and metals companies continue to move into the digital age, the report further highlights that current budgets may not be sufficient to manage cyber risk. While 53% of energy and resources companies state that they have increased cybersecurity budgets over the last 12 months, more resources may be required to fund critical operational technology for mining and metals companies.

- Ends -

Notes to Editors

About EY

EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

This news release has been issued by EYGM Limited, a member of the global EY organization that also does not provide any services to clients.

How EY’s Global Mining & Metals Network can help your business

The sector is returning to growth, but mining and metals (M&M) companies face a transformed competitive and operating landscape. The need to improve shareholder returns will drive bold strategies to accelerate productivity, improve margins and better allocate capital to achieve long-term growth. Digital innovation will be a key enabler but the industry must overcome a poor track record of technology implementations. If M&M companies are to survive and thrive in a new energy world, they must embrace digital to optimize productivity from market to mine.

EY takes a whole-of-value-chain approach to support each client to help seize the potential of digital to fast-track productivity, balance portfolios and set a clear road map for their new energy future.

For more information, please visit ey.com/miningmetals.

About the data

The data is taken from EY’s 20th Global Information Security Survey, which captures the responses of nearly 1,200 C-suite leaders and information security and IT executives/managers, representing many of the world’s largest and most recognized global organizations. The research was conducted between June-September 2017.

For more information, please visit ey.com/giss.