How to manage the risk of cyber attacks

Ruth Promislow | May 18, 2022 | 11:05 am

Cybersecurity attacks remain a primary business risk for mining companies. These attacks typically involve encryption of the company’s data, exfiltration of the data, demands for payment of a ransom fee, and public ‘shaming’ – a newer technique – where the criminal actor reaches out to employees, customers or vendors to advise that their confidential information has been stolen.

Cybersecurity preparedness is key to minimizing both the risk of being victim to an attack and the impact of such attack. Below are five key steps that mining companies (or any company) can take to manage the risk of cybersecurity incidents.

1 | Do not delegate cybersecurity preparedness to IT

Managing the risk of cybersecurity incidents is not simply a matter of information technology (IT). A risk management framework that engages various divisions of the company, including IT, is required.

At a senior officer level, an individual responsible for risk management should review the following and then make informed decisions about how best to manage the risk:

> the specific risks of attack the company faces (e.g. how could an attacker compromise the company either through a direct attack or an attack on a third party, and what harm to the company or third parties could arise from such incident); and

> the potential dollar value impact of those risks (e.g. costs of business interruption, containment, remediation, risks of regulatory inquiry and litigation).

With a framework of the risks and consequences, the mining company can then develop relevant policies and protocols to control for the risks that are particular to the organization. For example, an attack on a supplier or vendor whose operations are integral to the business of the mining company could interrupt the ability of the mining company to operate. The relevant policy and protocol would involve the insertion of key contractual provisions in the agreement with this third party to control for this risk. Such provisions may require the supplier or vendor to employ a certain level of security safeguards, to notify the mining company of relevant security incidents, provide indemnification of specified risks, and/or procure cyber insurance.

2 | Patching

The failure to patch software to control for known vulnerabilities remains a frequent gap in cybersecurity preparedness. Patching involves a modification to software to improve (among other things) its security based on imperfections or vulnerabilities that have been identified.

The absence of a strategy to address patching is often the source of cybersecurity incidents. Mining companies should ensure they have a written policy and protocol to address the key elements of patching (including who is responsible for overseeing the patching, the timeframe within which they are required to patch, and a list of all software used by the company).

3 | Backups

Having off-line, off-site and tested backups of data is key to being able to recover from a ransomware attack without the need to pay the ransom demand. Management should speak with the person responsible for IT to understand whether and why IT is confident that the mining company can recover using backups in the face of a ransomware attack, approximately how long it would take to recover from backups and how the recovery process would affect operations.

4 | Employee Training

Human error accounts for a substantial percentage of cybersecurity incidents. Typically, the human error involves an employee clicking on a malicious link, leading to the installation of malware onto the company network. Regular training of employees is critical to minimizing this occurrence. Further, if organizations track the nature of attempted attacks, they will be better equipped to tailor the training for specific groups within the company to address the particular risks they face.

5 | Land mines in the face of an attack

In the face of an attack, there are key steps to take on an urgent basis including the following:

> remove the intruder and any hidden traps set by the criminal actor;

> preserve forensic evidence to inform how the intruder compromised the company and what they did while they had access to the network;

> comply with regulatory compliance obligations (which may involve multiple jurisdictions and short timeframes within which to report);

> control the narrative in the public domain; and

> manage litigation risk (avoid damaging paper trails and preserve legal privilege).

Acting at an early stage with the assistance of experts (including external counsel and a forensic team) can help reduce the costs associated with containment, recovery and response to the attack. 

RUTH PROMISLOW is a partner at Bennett Jones, Toronto.

Comments

Your email address will not be published. Required fields are marked *