In a digital world with an expanding array of technologies—mobile, social, cloud and “bring your own device” options—organizations are increasingly vulnerable to cyber criminals. According to a recent study by Symantec, more than 430 million new unique pieces of malware surfaced in 2015, up 36 percent from the year before.1 Risks to oil and gas companies are high, partly because of business models that include joint ventures and third parties.
Organizations overly concerned with technical tools need to address the human factors. Without a robust “human firewall” in place, a technical firewall becomes virtually useless.
While you may think your own people, business partners and third-party suppliers are aware of cyber security issues, many are not consistently following recommended practices. Examples include connecting personal devices to company networks, using weak passwords, allowing poor coding practices and, the most prevalent, sharing data with hackers in phishing attacks.
The negative consequences may include lawsuits, costly investigations, reputational damage and, in the worst cases, loss of license to operate.
It’s important to recognize that awareness does not equal lasting behavior change. Our experience working with energy organizations tells us preventable human errors cause nearly a third of all information-security incidents. A recent study by the Information Security Forum2 finds the majority of security awareness campaigns do not secure the human element.
Oil and gas organizations need to close the “knowing/doing” gap and nurture an enduring culture of security. Some recommendations to help create a stronger human firewall:
Engage people. Secure leadership sponsorship, and create a network of information security advocates to champion campaigns.
Tailor campaigns to stakeholder groups. Motivate people to exhibit the right behaviors by designing campaigns relevant to specific responsibilities, which vary widely throughout the extended enterprise, for example, IT, marketing and third-party vendors. Consider social norms and local behaviors when customizing campaigns.
Implement consequence management. Consistently reinforce prescribed behaviors through consequence management, that is set expectations and hold people accountable to those expectations.
Leverage leading practices. Simulated attacks can test the organization’s resilience and inform the design of more effective cyber-security campaigns. Enliven campaigns with gaming, ranking and other competitive features to improve adoption and compliance.
Cultivate a learning organization. Monitor the gap between the current versus desired state of security behaviors, and make learning accessible anytime, anywhere to make campaigns an ongoing and engaging program.
The goal is to dramatically reduce the gap between knowing and doing. Oil and gas organizations can take a giant step forward by designing effective campaigns that address the human element and strengthen their resilience to cyber attacks.
1 “Symantec Internet Security Threat Report: One New Zero-Day Discovered on Average Every Week in 2015.” Emirates News Agency, 12 April 2016 © 2016 Emirates News Agency via Factiva.
2 “When trusted insiders are your biggest security threat.” City AM, 25th April 2016 © 2016 City AM via Factiva.