Mining is an important economic sector which brings investment, jobs, taxes, and wealth to local governments. Despite having one of the largest cash flows on investment, this industry lacks proper measures of managing IT security risks.
In its 2017 report ‘Tracking the Trends 2017: The Top 10 Trends Mining Companies will Face in the Coming Year’, Deloitte predicts cyber security threats will be amplified in the mining industry. The industry’s speedy digital innovation, combined with cloud migration and enterprise mobility technologies, exposes mining companies to a broad spectrum of online threats.
The Mining Industry’s Vulnerability to Cyber Security Issues
Cyber security in the mining industry is not a new issue. This is especially true as mining firms aren’t as quick to adopt cyber security initiatives as they are to implement digital solutions. Moreover, they still rely on legacy systems and non-standard configurations.
In its 2013 Global Information Security Survey, Ernst &Young Global Ltd. reveals 41% have experienced more external threats over the span of a year. In the same year, during the Gartner Security and Risk Management Summit in Sydney, Mike Rothery from the Australian government’s Cyber Security Operations Board (CSOB) also pointed out on-site staff could be responsible for internal threats.
“When you go to see the chief engineer, he’ll say, ‘Well, they used to not be interconnected, but when they took out all the analogue systems and they needed to put it on an IP-based system, we weren’t going to put in a separate IP-based network. We just dumped it onto the corporate network. The CIO doesn’t even know it’s there.”
Deloitte expects these threats to increase in 2017 and the future. In addition to viruses attacking critical systems which control driverless cars, pumps and motors, hackers targeting proprietary data and intellectual property is another possible threat. However, what makes hackers extremely dangerous is that they can be anyone – from criminals seeking financial payoff, to foreign intelligence agencies, and all the way to industrial spies.
Ransomware has also become prevalent in the mining industry. Malware prevents users from accessing systems or data until its creators receive a certain sum. With so much at risk, companies have no choice but to comply. In a recent case, a company refused to pay the ransom, prompting attackers to release its private data into the public domain.
According to Trend Micro’s ‘Cyber Threats to the Mining Industry’, the following are other common methods for infiltrating mining firms and compromising the security of their data.
- Social Engineering Attacks – Phishing and other forms of social engineering attacks have claimed millions of victims over the years. Unfortunately, there’s still a lack of awareness of this form of attack. According to ICS security consultant Digital Bond, 25% of highly targeted recipients fell victims to these attacks. Targets’ job titles include Automation Technician, Equipment Diagnostic Lead, and Control System Supervisor.
- Software Vulnerability Exploitation – If undetected and unresolved, software vulnerabilities can be used against users for several years. This is especially true if patches for vulnerabilities haven’t been applied routinely and servers run unsupported OS.
- System Misconfiguration Exploitation – Misconfigurations can occur at any level of an application stack. When discovered and exploited, these can compromise the system and expose data.
- Drive-by-Download Attacks – This attack is initiated when malware is downloaded automatically without a user’s consent or knowledge. What makes it dangerous is that it doesn’t require user interactions. It can occur when a user views an HTML email or simply visits a website.
- Man-in-the-Middle (MitM) – This type of attack entails the hacker intercepting, altering, and relaying communications between two parties communicating with one another. MitM is only successful, however, if the attacker accurately impersonates the endpoint’s behavior.
- Insider Job – Enterprises have a tough time protecting themselves from this attack as it involves people whom the organization trusts or can abuse their privileges to commit crimes.
Does Enterprise Mobility Add to Cyber Security Concerns?
Enterprise mobility is the next big thing in the mining industry. Unfortunately, this emerging technology has been criticized by few as one of the weakest links in corporate security. Harvard Business Review’s (HBR) Tech Pro Research survey reveals 45% of CIOs, technology executives, and IT employees see mobile devices as their companies’ weak spots. According to this survey, the following are their top security concerns:
- Device theft or loss
- Disregard of security compliance rules
- Unsupported devices (shadow IT)
However, a previous survey by the same shows that only 12% of companies have been affected by a mobile security breach. Moreover, the cause of a majority of breaches wasn’t the devices or apps themselves. Rather, it was the people who lose their devices or don’t practice good security habits.
Simply put, enterprises’ cyber security is compromised via mobile when employees fail to follow basic security procedures. Therefore, educating employees, the actual weakest link, is integral for fortifying corporate mobile defenses. Here are some tips to help in this regard:
Create Your Own Enterprise Mobility Apps
Mining industry leaders such as Rio Tinto are investing in creating their own enterprise apps for their employees. This is because of the numerous benefits these apps offer employees and enterprises alike – from improved worker productivity to streamlined, cost-effective business processes.
Further adding to the appeal of custom enterprise apps is that they’re easy to create. With the help of zero-code enterprise mobile app development platforms like Miracle Mobile, you can quickly design and publish mobile forms within minutes. As you won’t need to pay much to create unlimited forms, you’ll also receive the best value for money.
Mandate Regular Password Updates
Password security is considered an enterprise’s first line of defense. However, ensuring this somewhat simple aspect is very hard, especially in mobile devices. For starters, entering long passwords on smartphones or tablets is far from user friendly. Users themselves have trouble managing several accounts on their devices. That’s why they require password managers or other forms of aid.
One effective way to ensure password security is to enforce password rules. For instance, you can have employees change passwords regularly to keep hackers out. However, expect employees to not voluntarily carry out this step even when prompted. So, take them through this slowly and teach them how to create and remember strong passwords.
Secure Devices and Mobile Communications
Mobile operating systems like iOS and (especially) Android are common targets for malware. Similarly, mobile communications are at risk as hackers can easily intercept and snoop on them. Therefore, consider implementing measures that secure both.
For devices, mandate the installation of antimalware software. This is especially important if your enterprise has a Bring Your Own Device (BYOD) policy. As for mobile communications, rely on encryption to protect communications between employee devices and cloud-based systems or services. You can also opt for the use of VPNs. The use of a VPN enhances security by adding strong encryption and providing opportunities for access management.
Control Third Party Software on Devices
Restrictions on the use of third party software should be part of your BYOD policy. You need to limit or block the use of their apps to prevent compromising cyber security. Explain to your workforce how these apps can install rogue software on their devices and ultimately open backdoors and ‘black gateways’ which put corporate information in the wrong hands.
Another method you can consider is having users log into a remote virtual work environment. This prevents data from persisting once a user session ends. Combined with secured communications, this method will ensure the security of your devices and corporate data.
Schedule OS Updates as Part of Your Strategy
To ensure that hackers don’t take advantage of the vulnerabilities of your device’s OS, entrust the IT team with checking vulnerabilities regularly. Employees should also ensure their mobile devices’ operating systems are updated regularly as new releases offer a set of security patches and new features.
Plan and Deliver Security Awareness Training
No security measure is effective unless your staff understands its purpose. Training allows you to educate the workforce on the threats they may face while using their devices. By highlighting how cyber criminals can attack, steal, damage, or misuse your enterprise devices and data, everyone will adequately work towards protecting against these risks.
Training also allows you to communicate the consequences of failing to protect the enterprise from attacks. With consequences ranging from criminal penalties to termination, employees will be aware of what’s at stake.
The Bottom Line
Cyber security is an issue which mining firms need to take seriously, especially as they step towards enterprise mobility. So, be prepared by educating your workforce and security all their devices, especially mobile devices.