Repelling black hats with hard hats: four imperatives for cybersecurity
Cyber threats are evolving and escalating at an alarming rate within the mining and metals and other asset-intensive industries. Understanding the current cyber risk landscape and the threats that new technologies bring is crucial for planning reliable and resilient operations. From its geopolitical nature to the life-and-death consequences of operation system malfunctions, mining and metals companies are teeming with cyber vulnerabilities. Sophisticated criminals may be ready to hit a company’s reputation, health and safety protocols, environmental stewardship, and profitability.
October is Cybersecurity Awareness Month which aims to bring heightened awareness to cybersecurity. In an age where threats are being unearthed every day, mining companies need to account for these four imperatives when thinking about cybersecurity within their operations.
1 Understanding risk appetite and risk tolerance and where your company stands
Risk appetite is the amount of risk an organization is willing to accept to achieve its objectives. Risk tolerance is the acceptable deviation from the organization’s risk appetite. More than one-third of Canadian organizations have not clearly articulated their cybersecurity risk. Defining the cyber risks that are most relevant for your particular organization and building consensus around what level of risk you’ll tolerate is the first step to effective planning. For the mining and metals industry, a seemingly small disruption – like a hacker shaking up your supply chain or stopping a critical dewatering pump –
could have massive, high-profile or even life-altering impacts. You need to know where your risk lies to defend your organization well.
2 Bridging the divide between IT and OT to clarify the operating model and cyber risk between the two domains
The patters that work for the information technology (IT) team don’t always translate in the operational technology (OT) team. Although sometimes used synonymously, the two have different cultures. When thinking of OT, especially at remote mining sites, teams are being measured on uptime, not necessarily security. The concept of security is built on the IT side. Chief information security officers (CISO) must not only ensure availability and reliability but also that the systems are secure whenever they are being operated. Bridging the culture divide will require CISOs to be able to translate the language of health and safety into cyber risk management. This bridge is important as environmental, social and governance (ESG) practices continue to gain momentum, the need to secure OT assets that provide the frontline ESG data to make informed decisions will be paramount.
3 Making cybersecurity the connective thread between functional capabilities
Redrawing the organizational chart and making cybersecurity the connective thread between functional capabilities doesn’t only make your organization stronger. It can also support efficiency, cut down costs and foster the kind of collaboration that speaks directly to internal and external calls for secure products, services and solutions.
Risk itself has changed. Findings from the EY Global Information Security Survey show more than 40% of leaders have never been as concerned as they are now about managing cyber threats the business faces. You can’t tackle that increase in disruptive risk without drawing better connections between functional teams.
4 Putting a team in place to deal with compliance and regulatory requirements
The overhead of trying to maintain and stay on top of different regulatory requirements and standards is the biggest hurdle most Canadian companies face. Seventy per cent of Canadian executives say navigating regulation will be time-consuming and expensive. Mining is global, companies need to think bigger than just Canada and to do so effectively and efficiently, dedicated teams will be needed. They can support organizations of the future to stay on top of compliance and regulatory requirements but also put in place a process to support with what updates they need, where to get them and how they translate to their specific organization.
Disruptive forces mean that companies must understand how much risk they can safely take on. OT and IT must now come together to play broader roles at mining organizations. Operational and budgetary silos hold progress back as legacy risk frameworks require fresh thinking. Internal disconnects create gaps around the value that cybersecurity can bring. Having a dedicated team to keep up to date with compliance and regulatory requirements and support the CISOs to put them in place is crucial. We’re at a defining moment where CISOs can make a difference.
BRYSON TAN is an associate partner in the Cybersecurity Advisory Services at EY Canada. For more information visit www.ey.com/en_ca/mining-metals.
Comments