What factors do we need to consider to understand if the oil and gas industry can be sustainable in the future? Do we even need this industry in the...
What are the dangers and costs of poor cyber security?
What are the costs associated with the dangers of poor cyber security and what can we as a company do to mitigate these dangers?
When it comes to the concept of cyber security, we can usually divide the potential threats and dangers into two sections, technical and human. Technical dangers refer to unsafe or bad solutions and infrastructure, while human dangers in cyber security is the behaviour and training or expertise of the personnel. Some examples of bad technical solutions include: no systems for backup, poor redundancy, insufficient segregation- and firewall-regime, vulnerable solutions for remote access and technical accesses.
With soft or human factors, possible dangers include undesirable online behaviour, being unaware of possible dangers (like phishing or malware), not having an established regime for passwords and authentications to log on to both computers and applications, no guidelines on how to log on networks with USB or logging into the Wi-Fi at a plant with an “unsecured” computer. All these examples er things that are hard to control, but it is possible to have technical barriers in place to limit the danger, as well as having requirements for personnel with regards to online behaviour.
Specific dangers to a company
A specific danger to a company undergoing an attack as a result of poor cyber security is that their reputation is tarnished. Global companies can lose their ability to operate and deliver their services as part of an attack. Not to mention that some studies have found that you can destroy physical equipment by manipulating process technical equipment. This means that in worst case you have to shut down production and won’t be able to get back up again without new equipment. If this is the case and you are also without necessary backups and accesses, the situation for the company can be quite severe. The costs of an attack of this sort is quite high, because you lose valuable production time as a result of it.
Another danger of an attack is loss of sensitive information or confidential information, for example relating to technology development or other market advantages. Based on the information stolen, someone can gain your previous advantage, or use the information to develop their technology or software based on it. The costs associated are what the company has spent on research and development, along with the market advantage that they will lose. This could also affect your suppliers, as they will also be affected if the information is compromised.
There have been multiple examples of companies that have come in situations where they have been infected with ransomware, which is where your entire system is put under lockdown, and you have to pay to decrypt it. Companies lose access to all their information, and as discussed, the information could also be leaked. Ransomware includes several encryptions and is very difficult to break without paying the ransom. This happens to governments and government services as well. In 2017 NHS in the UK was attacked with ransomware, endangering a lot of sensitive patient information. Not to mention that it also had implications for NHS’s potential to care for their patients. Experts are saying that the attack could have been prevented by following basic IT security best practises, and the department was even warned about the risks of an attack a year earlier. This cyber-attack was stopped by a cyber researcher able to activate a kill-switch and did not end up with the NHS having to pay ransom, but still ended up with unknown costs in the form of cancelled appointments and operations, estimated to be over 19 000 in total.
So how can we prevent this from happening?
The first thing is to perform an internal audit of all technical systems and map out systems, documents and backup solutions. One can install new servers, passwords, and create new systems to detect equipment and malware, and to install software updates regularly. This includes knowing what equipment is present and used on site, and what to do if something is destroyed. One has to be proactive and have a system for everything, where one knows how to start rebuilding the system after an attack, including who provided what to the system. One must also have an overview of equipment, IP-addresses, configuration, to name some. PSA has also started looking into if you have an overview and documentation of technical network, and the infrastructure behind them. We need to have the blueprint in order to build things back up again.