Why Are There Still Cybersecurity Incidents? – Yogi Schulz – Energy News for the Canadian Oil & Gas Industry | EnergyNow.ca

By Yogi Schulz

Here’s the link to my IT blog at IT World Canada

Why are there still frequent, expensive and embarrassing cybersecurity incidents at energy companies? With most companies strengthening their defences and all the media attention devoted to incidents, you’d think everyone has received the message and taken action to eliminate the possibility of more incidents. I’m surprised by the recent headlines that say otherwise:

1. Petro-Canada payments systems largely restored in the wake of a cyberattack: Suncor
2. Indigo admits the cyberattack was ransomware, employee data accessed
3. Data on as many as 100,000 Nova Scotia healthcare staff stolen in MOVEit breach
4. Indigo lost $50M last year, in large part due to the February cyberattack

What is causing management inaction about cybersecurity?

These incidents keep happening because it’s difficult for energy companies’ management to know how high their cybersecurity risk is and how far it needs to be managed down. There’s no silver bullet for eliminating the threat. Management often falsely believes that:

1. The IS department is managing the risk.
2. Their company is too tiny or not attractive to potential attackers.
3. Media articles about cybersecurity incidents exaggerate the consequences.
4. High-priced consultants are engaged in scare tactics.

Also, management is continuously under conflicting pressures, including:

1. Shareholder pressure for higher returns.
2. OPEC+ and others setting prices.
3. Problematic transportation availability and high costs.
4. Employee pressure for higher pay.
5. IS leadership claiming that the cybersecurity sky is still falling after record spending on defences.
6. Suppliers wanting or needing to raise prices.
7. Management desires to preserve their bonuses by keeping costs down.

In this demanding business environment, management is reluctant to spend money on cybersecurity defences that appear to offer little return. In too many cases, this inaction has produced disaster.

What are the consequences of management inaction about cybersecurity?

In the energy industry, you want to avoid these consequences of inadequate cybersecurity defences:

1. A headline about your cybersecurity lapses creating reputational damage among customers and suppliers, leading to loss of business.
2. The cost and business disruption of cleaning up after a cybersecurity incident.
3. Loss of revenue due to operational disruption.
4. The likelihood of an investigation and a fine from a regulatory agency.
5. Tarnish to your carefully cultivated, stellar executive reputation

Even though the cost of cybersecurity prevention often feels high or even outrageous, it’s significantly cheaper than the cost of addressing the consequences of a cybersecurity incident.

What should management do about cybersecurity risk?

Energy company management can start by conducting a cybersecurity risk assessment. This work creates facts that trump opinions, hunches, gut feelings, and denial.

The findings of a cybersecurity risk assessment will tell you:

1. What defences are working well. That fact builds confidence that some cybersecurity defences are working.
2. What defences need strengthening. Those findings form the basis for an action plan to reinforce specific cybersecurity defences.
3. What potential defences don’t exist. These items form the agenda for discussing additional cybersecurity defences to implement. No company needs to address all the items on the list to lower cybersecurity risk.

The findings move the cybersecurity discussion from generalities about risk and cost to multiple specific, granular actions where management can concretely assess the value and cost.

What does a comprehensive cybersecurity risk assessment consist of?

Too often, energy company management asks IS leadership for an opinion about the sufficiency of cybersecurity defences. No matter how confident management is in its IS leadership, that opinion, without supporting data, is dangerously misleading.

Determining what a comprehensive cybersecurity risk assessment consists of should include the following considerations:

1. Is an internally-developed cybersecurity assessment sufficient? An internally-developed risk assessment framework will not have the benefit of the contribution of many experts. However, it may be better tailored to your company’s risks and priorities. It’s often best to base the risk assessment on a well-established cybersecurity framework.
2. What cybersecurity framework should you use? Select a framework appropriate for the energy industry and your company’s size. For more information about well-established cybersecurity frameworks, please read this article: Top 11 cybersecurity frameworks in 2023.
3. Who will conduct the cybersecurity risk assessment? Audit department employees do not have the requisite technical expertise. Someone from the IS leadership team may be tempted to produce an overly optimistic set of findings. The objectivity of an external consultant may provide sufficient value.
4. Who will participate in the cybersecurity risk assessment? Typically the individuals in the IS department that have a role in cybersecurity operations.

For a description of what a low-effort but comprehensive risk assessment entails, please watch this video: Assess your SMB cybersecurity defences at warp speed.

Acting on the findings of a competently conducted cybersecurity risk assessment can significantly enhance your energy company’s cybersecurity defenses.

About Yogi Schulz

Here’s the link to my IT blog at IT World Canada

Yogi Schulz is an information technology consultant who works extensively in the petroleum industry to select and implement administrative, operations, and geotechnical systems. He writes regular articles about developments in the energy industry and technology.

You can contact Yogi Schulz through his LinkedIn profile at this link.

Share This:

---

More News Articles