Post COVID-19 many organisations are focused on cost reduction, remote operations and improved efficiencies, while ensuring greater business resilience to future events both economic and environmental. The current reality has created rapid change to the way people work, which has resulted in increased instances of fraudulent activity and cyber attacks.
Cyber attacks in the oil and gas industry can threaten an organisation’s information technology (IT), its operational technology (OT) and any internet of things (IoT) systems in place. A breach in industrial control systems could cause a serious occupational health and safety event, which in an industry focused on creating zero harm work environments, could cause serious harm to an individual and an organisation’s ability to operate.
Often cyber security awareness training is isolated to office-based staff, however the oil and gas industry has a hugely diverse workforce, with employees working in roles from truck drivers to engineers to finance officers, and working in very different environments from offices, to mine sites to offshore rigs. Despite the variety of roles and locations, the cyber security threat is there for every individual, so every employee needs cyber security training. Rolling the cyber security awareness into the occupational health and safety awareness will allow all staff to become aware of the implications of a cyber attack, what they need to do to help prevent such an attack, and in the case of such an event how to respond to ensure safety and security.
Cyber attacks can lead to information losses and operational outages – challenges which also have further implications for an organisation’s governance obligations. The Privacy Act requires organisations to report any data breaches if the information leaked could cause serious harm to an individual. Loss of commercially sensitive information, such as past purchases, mining locations and iron ore pricing, could lead to competitive advantages if in the hands of the wrong people.
Ensuring there are plans, mechanisms and technologies in place to cover all aspects of the business is critical. Often cyber security is seen as an IT department function. However, a cyber security event can impact the people, the processes and the technology of a business and cause widespread outages. Including cyber security protection in operational and business resilience plans is essential as it’s a whole of business problem.
The sector is facing a series of challenges in implementing proper cyber security protocols, including:
Organisations need to identify the critical elements that need to be protected, not just assets, but what information and data should be tightly protected as well.
KPMG provides a range of services that span the complete range of considerations for an effective approach to cyber security. Strategic partnerships with world class providers ensure our clients have access to the latest technologies and thinking to support robust, and fit for purpose cyber security controls. In addition to our partnerships, KPMG has developed global solutions providing rapid deployment to meet critical needs.
At KPMG, we understand that businesses cannot be held back by cyber risk. Our professionals recognise that cyber security is about risk management – not risk elimination.
No matter where you are on the cyber security journey, we can help you reach the destination: a place of confidence that you can operate without crippling disruption from a cyber security event. We work with you to provide cyber security services for:
And we don’t just recommend solutions – we also help implement them. Besides helping you set the strategy, we also have deep technical skills in penetration testing, privacy, data security, business resilience and access management to help you every step of the way from concept to delivery.
Learn more about KPMG's Cyber Security Services and capabilities.