By: Dale Zankl, Partner, Oil & Gas Practice Leader Middle East at Stanton Chase
Increasingly, companies in the oil and gas industry are turning to digital technology to operate more efficiently and cost-effectively. Driven by instability in the industry as a result of dramatic fluctuations in oil prices, leaders are keenly engaging a broad range of digital technology solutions.
Undoubtedly, the implementation of digital technology improves customer service, gives in-depth insight into operations, and allows for better decision making in real time. But it also comes with increased security risks.
The use of IoT technology, AI, big data, and data analytics is rapidly spreading throughout the oil and gas industry. As a multitude of new software solutions, digital devices, sensors, and drones are utilised at multiple levels across the oil and gas sector, industry captains must not lose sight of the security risks they pose.
Internal risk management strategies must keep pace with digital expansion
Improvements and changes to communications, including the transfer of data without any human interaction, put your systems at risk more than ever before.
The lack of cybersecurity control in the oil and gas industry up until now has certainly not escaped the attention of cybercriminals. A slew of high profile cyberattacks in the oil and gas industry in recent years has highlighted just how exposed and vulnerable many companies are. Research and studies show that high profile cases are most likely just the tip of the iceberg, as many companies do not make cyberattacks public, and some attacks go undetected.
The value and nature of the oil and gas industry make it lucrative picking grounds for cybercriminals. In a malware attack in June 2017, an international shipping company was literally shut down for ten days because of irreversible encryptions to their system. The systems shutdown cost the company around US$300 million and had a knock-on effect of $10 billion in losses across the region.
Industry leaders must accept that illicit cyber activity is a global problem that is on the increase and is here to stay. The Cisco 2017 Annual Cybersecurity Report estimates the frequency of ransomware attacks across industries is increasing by 350 per cent every year.
Cybersecurity management must be a priority investment
At Stanton Chase, we have seen an increase in cyberattacks on our clients globally. We strongly advise oil and gas companies to invest in leadership committed to this area, and to continually review and enhance cybersecurity strategies to keep one step ahead of possible cyberattackers. When you compare the potential losses to the cost of investment, the implementation of robust cybersecurity measures is the only option.
Reducing costs and improving efficiency through technology has limited value if keeping that technology safe and secure is not a priority at the highest levels of an organisation. A crucial element of any cybersecurity strategy must be the appointment of high-level and responsible leaders who understand issues such as:
• The role of big data and analytics in operations
• IoT and transfer of data through digital channels
• The convergence of operating technology and IT
• The security and compliance risks of cloud computing
• Ransomware and other threats to critical infrastructure
• Risk management in a supply chain environment
• Operational and safety risks vulnerable to cyberattack
There is also no gain in investing in a cybersecurity strategy without assigning full responsibility to the leadership team, as well as understanding why cyberattacks happen. Knowing the motivation of cybercriminals will better prepare you to identify vulnerabilities in all systems across your business.
Identifying potential risk areas allows you to develop appropriate preemptive responses and educate staff working with these systems. Being aware and forewarned of potential vulnerability will improve responses and dramatically improve outcomes.
Executives and top management must understand cybersecurity
Cyber attacks can occur at any level of a business. Therefore, cybersecurity must be understood at every level of business activity. Cybersecurity is one area that cannot afford to slip under the radar, but it is also an area that many employees are unfamiliar with, from ground level to the board room.
Cybercriminals make it their business to stay abreast of technology developments. Business executives and top management must be equally as proactive about cybersecurity education.
Cybersecurity can no longer be seen as the sole domain of the IT department. CFOs, CIOs and CISOs need the support of the entire organisation if critical operational protocols are to be appropriately understood and secured. Employees at every level must be educated on the dangers of cyberattacks, and it is up to business executives and top management to ensure that the appropriate training is delivered.
It is up to leadership professionals to bridge the communication gap to ensure that their security systems are aligned with operational systems at every level.