OPINION
devices such as tablets via TCP/IP, the risks increase. Introducing web-enabled systems before ensuring the policies and technologies are in place to protect them can make a business vulnerable. Respondents to the PWC Global State of Information Security Survey in 2015 reported an increase of 260% from 2014 for exploits of operational systems; while attacks on embedded systems increased by 231%. Data too, has a multitude of uses in the oil & gas industry. Te increase in sensors, analytics tools and data storage capabilities is enabling businesses to capture additional information, from a wider area, at a lower cost. But, just as data is valued by users, it is valuable to cyber criminals. Attacks using malware, such as 2012’s Flame, which spread via a local area network or USB memory sticks and recorded audio, screenshots and keyboard activity, could see an organisation lose business-critical data or intellectual property. And malware infections are widespread: affecting 84% of large organisations in 2015, according to the Government’s Information Security Breaches Survey 2015 (ISBS 2015) carried out by PWC. But malware is not the only cause of lost data – 81% of respondents from large companies to the ISBS 2015 stated that personnel were involved in some of the data breaches they suffered. Tis was an increase of over 20% on the previous year. Two-thirds of these incidents involved loss or leakage of confidential information by insiders. So it’s essential that staff are trained to recognise potential cyber threats, such as phishing emails, and about the importance of protecting data. In addition, measures that prevent executable files from being installed on computers, for example, or log and flag up unusual activity by employees may help to protect against a malicious insider who already has privileged access to systems. Tis culture of security should extend
throughout an organisation, and beyond – its data may be secure, but is it still protected by the company’s supply chain or third parties? Ensure that similar controls to those that you are taking are included in any contract with suppliers and providers: make sure that they have been implemented, and that they work.
Don’t think it couldn’t happen to you or your contacts: in the ISBS, 90% of large organisations reported that they had suffered a security breach in 2015, with a median of 14 breaches experienced by each organisation.
Te costs of a data breach or malware
or virus infection to an oil & gas company can run into thousands. Clean-up costs go far beyond the simple removal of the virus, and include technical, human and material impacts. Systems may need to be restored from back-ups or equipment replaced. Technically, you may need to undertake forensic recovery of system evidence to complete an investigation of the incident, and to prevent it happening again. To do this, you will need to ensure that your system is configured to enable and assist the forensic recovery of digital evidence – and if it is as a result of a malicious act, identify if you have the evidence to prosecute the perpetrator through the courts. Human resource costs of an infection
or data breach extend beyond the working time lost by employees during computer outages, to include the time spent by staff in carrying out remedial actions to resolve the issue. System downtime may also result in unanticipated material expenses: perhaps rental vehicles to distribute items to satellite offices, or increased requirements for peripherals such as paper and printer cartridges. If the virus infection spreads, and infects other systems, then costs would be multiplied and could come in at millions of pounds or more. Legislative and regulatory costs can be added to the total: with data breaches, these could include fines from the Information Commissioner’s Office; or financial settlements of legal action taken by those whose data has been lost. In the near future, the introduction of the EU Data Protection Directive is likely to see fines related to company revenue – perhaps as much as 4% of a company’s global annual turnover. Less quantifiable, but no less important, is the damage that press coverage of a data breach can cause an organisation’s reputation, and the effect this may have on customers, clients and suppliers. Protecting your organisation from cyber threats makes it more resilient. Responding
effectively to a crisis or issue, and learning and recovering from it, may be critical to your company’s survival and success. But with so many aspects to consider, it can be helpful to call upon an outside point of view – professionals such as those at Frazer-Nash can work with you to understand and manage potential opportunities and threats; and to anticipate and prepare for the unexpected. While the BSI’s Guidance for Organisational Resilience, BS65000, offers a roadmap towards building a resilient organisation, an expert can help you put it into practice within the context of a multi-faceted, complex oil & gas company. Te opportunities that technology offers to the oil & gas industry are huge, and have the potential to benefit every aspect of an organisation. But, as with any aspect of production, it’s important to minimise the risks. Taking action to identify the threats, and to protect your systems from them, can help you face future cyber and insider challenges confidently. l
Attacks using malware can spread via USB memory sticks and cause organisations to lose critical data
Tim Arridge is a principal consultant at Frazer-Nash.
www.fnc.co.uk
www.engineerlive.com 7
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52