Data breaches and cyber-attacks

Feb. 15, 2017
Cyber-attacks currently cost businesses approximately $400 billion a year globally, and experts at SAP predict the costs will reach $90 trillion by 2030.

CYBER-ATTACKS currently cost businesses approximately $400 billion a year globally, and experts at SAP predict the costs will reach $90 trillion by 2030. That's right "trillion" – with a "t." To counter this threat, SAP says oil and gas companies should focus on prevention, detection, and resiliency. There is an urgent need to take proactive measures to reduce vulnerabilities and protect data at all points.

To any who doubt the value in guarding against data breaches and intrusions in their organization, I suggest they talk to President Hillary Clinton.

A new survey from Accenture reveals that one in three cyber-attacks results in a security breach, and the number of cyber-attacks is on the rise, say experts on the topic. Despite this increasing threat, there is still a struggle to convince corporate executives of the seriousness of the problem and to take the necessary steps to prevent attacks that could be disastrous for their companies.

Reports from various sources have pointed out that the energy sector is lagging behind other industries in protecting databases and control systems from attack. Oil and gas companies face the threat of security breaches that could damage their reputations, cause major business disruptions, and result in huge financial losses.

Writing in this issue of OGFJ (pgs. 38-39), Philip Bezanson and Carolyn Robbs Bilanko of Bracewell LLP say that data breaches can trigger investigations by the US Federal Trade Commission, the US Securities and Exchange Commission, the US Department of Justice, and state regulatory agencies, as well as class-action lawsuits and shareholder derivative actions.

"The inevitability of cyber-attacks behooves directors and officers at oil and gas companies to allocate adequate funds and time to implement cyber security risk-management strategies that protect sensitive business information and property and minimize the company's legal exposure," write Bezanson and Bilanko.

In their article, "Legal liability from cyber-attacks," the attorneys offer tips on how energy companies can mitigate their legal liability from such attacks.

The Accenture survey revealed the lack of effectiveness of current security efforts by many companies and the inadequacy of existing investments in security. The length of time it takes to detect these security breaches often compounds the problem, as more than half of respondents disclosed that it takes months to detect sophisticated breaches, and as many as a third of all successful breaches are not discovered at all by the security team.

"Cyber-attacks are a continual operational reality across every industry today, and our survey reveals that catching criminal behavior requires more than the best practices and perspectives of the past," says Russell Thomas, Canadian cyber-security lead for Accenture. "There needs to be a fundamentally different approach to security protection, starting with identifying and prioritizing key company assets across the entire value chain. It is also clear that the need for organizations to take a comprehensive end-to-end approach to digital security – one that integrates cyber defense deeply into the enterprise – has never been greater."

Cyber threats come from inside the organization as well as from outside hackers. Malicious insiders sometimes steal, manipulate, and destroy data, which has caused companies to invest in forensic data analytics (FDA) tools to investigate incidents and manage risk. An EY survey of 665 executives concluded that internal fraud risk ranks highest among their concerns at 77%, followed by cyber breach or insider threat risk at 70%.

David Stulb, EY's global leader of Fraud Investigation & Dispute Services, advises: "For organizations, the threat of cybercrime is an everyday reality, posing a dynamic and relentless challenge. This means that boards and senior management need to incorporate FDA as a critical component of their risk management and compliance programs. This is especially critical given the current regulatory enforcement environment and market reaction to instances of alleged corporate fraud, bribery, and cyber breach."

In an article in the November issue of OGFJ, "Cyber-attacks on the rise," Udi Edry, CEO of Nation-E in Santa Clara, Calif., says that, "As cyber-security continues to advance at an incredible pace, it is matched by the incessant efforts of hackers to mount perilous attacks against global corporations, government agencies, and local industrial enterprises." He suggests that oil and gas infrastructure may be the "new battlefront" in the war against terrorism.

Edry notes an upswing in investment by key industry players in cyber protection for energy-related critical infrastructure and installations.

In 2012, a malware cyber-attack on Saudi Aramco was responsible for overwriting the hard drives of as many as 30,000 work stations of Saudi Aramco and RasGas. The attack apparently was intended to stop oil and gas production in Saudi Arabia and prevent the flow of the country's oil and gas resources to international markets. Fortunately, it was not successful. But the next time a cyber-attack is launched against a petroleum company, the consequences could be dire if the company isn't properly prepared to defend itself.