Cyber risk has the potential to be the downfall of a mining and metals organization’s productivity gains and digital advancement aspirations. To navigate the complex cyber threat landscape, the sector needs a step-change in the culture and awareness of cyber risks.
Cyber threats are growing at an exponential rate globally with more than half of energy and resources participants in EY’s latest Global Information Security Survey (GISS) having experienced a significant cybersecurity incident in the last year. These threats are evolving and escalating at an especially alarming rate for asset-intensive industries such as mining and metals.
The GISS revealed that 53% of energy and resources organizations have increased their spending on cybersecurity over the last 12 months. Cybersecurity budgets are increasing, but are not enough to effectively manage risk, particularly to mission critical OT.
Also, too many mining and metals companies are taking an ad hoc approach or acting when it is already too late to manage their risks and vulnerabilities.
The responsibility of managing exposure to cybersecurity risks is not one that can be delegated to one or two individuals. Rather, a broad range of individual responsibilities should be brought together to form a single, coherent and accessible view of the threat environment.
Staying ahead of cyber threats
A step-change in the culture and awareness of the cyber risk within the sector is needed to resolve the gaping hole that the human factor exposes to cyber resilience and preparedness. Organizations need to apply good risk management principles, and this starts with thinking about the issue just like a business risk:
1. Understand the cyber threat landscape: This is the first and vital foundation step in the change to improve the cyber maturity. Mining and metals companies need to have a clear plan that forms part of their digital road map and risk management plan.
2. Establish a baseline of basic cyber controls: This baseline, supported by a risk-based approach to prioritize strategic and long-term cyber investment, should be aligned with the organization’s top cyber threat scenarios.
3. Adopt a cybersecurity framework: This will underpin the consistent identification of critical cyber control gaps, threats and actions required to achieve the target risk profile.
Irrespective of the cybersecurity framework adopted, a risk-based approach should be taken, which is fit for purpose, adopts a balance between “protect” and “react” and meets the operational requirements of an organization. A robust cyber threat approach involves the following key steps:
- Identify the real risks
- Prioritize what matters most
- Govern and monitor performance
- Optimize investments
- Enable business performance
Boards are taking an increasingly active role in addressing cybersecurity risks. There is an increasing demand on management to generate reporting, metrics and insight that provide visibility and assurance over the management of cybersecurity risks.
Board reporting should seek to combine tangible and quantifiable metrics that demonstrate the outcomes resulting from recent key decisions and the performance of the current control environment.
Ultimately, to enable effective decision-making, a successful cybersecurity reporting framework must provide the board with a clear and continuous view of the organization’s current cyber risk exposure. To encourage this paradigm shift, boards should apply a risk-focused mindset to transform the questions they ask of management.
Read the full article here.
EY legal contacts:
Peter Katko – Global Digital Law Leader
Fabrice Naftalski – Global Data Privacy Law Leader