At the end of June, Detour Gold reported that its IT systems had been subject to an “illegal breach” that resulted in confidential information being “accessed and disclosed by hackers.” The stolen information included personal information of the company’s current and former employees, as well as of individuals to whom Detour had made a formal offer of employment. The gold producer said external and internal IT experts were assessing the risks of further illegal access to its systems, and investigating the source of the breach.
The disturbing news follows a report last December from Germany’s Federal Office for Information Security, which detailed how hackers had infiltrated an unnamed German steel mill and made it impossible for the company to shut down a blast furnace at the facility, causing massive damage.
According to Wired magazine, which translated the report into English, “the attackers infiltrated the corporate network using a spear-phishing attack — sending targeted email that appears to come from a trusted source in order to trick the recipient into opening a malicious attachment or visiting a malicious website where malware is downloaded to their computer. Once the attackers got a foothold on one system they were able to explore the company’s networks, eventually compromising a ‘multitude’ of systems, including industrial components on the production network.”
In Ernst & Young’s latest annual report analyzing and ranking the top-10 strategic business risks facing companies in the mining and metals sector, cybersecurity took the ninth spot, moving up from its eleventh-place finish the year before. The survey — based on discussions with global mining and metals companies — found that 65% had experienced an increase in cyberthreats over the past 12 months. Despite the increased threat, however, only 47% of respondents said they planned to enhance their organization’s total information security budget in the next 12 months, and 42% did not have a threat intelligence program in place.
Iain Thompson, who was not involved in the survey but works in Ernst & Young’s mining advisory practice in Vancouver, tells The Northern Miner that the place to start is to understand the risk. “If you haven’t identified it as a risk, there’s issue one,” he says. “What I would advocate to our clients in the space is to make sure they incorporate this into their risk program.”
Thompson believes cybercrime is becoming more common because a lot of mining companies are taking closed networks and integrating those networks with corporate systems to address certain challenges around productivity. “They’re putting more information technology into mine sites to better manage their production, but as they start to do that it introduces additional potential risks, and they have to make sure they have the right systems in place to address those risks,” he says.
Thompson points out that a lot of cyberthreats have gone underreported for various reasons and that the typically high-value transactions in the mining industry provide opportunities for social, economic and political gain. Risks to companies are varied, but can include damage to a corporation’s reputation, dangers to health and safety, and access to undisclosed information — such as merger and acquisition plans — that can be used to manipulate markets, or result in trading advantages.
Matthew Hart, a veteran observer of the mining scene and author of Gold: The Race for the World’s Most Seductive Metal, says the damage to the German steel mill last year could have helped a competitor, and argues that “there are going to be more points of entry [for hackers], as the mining industry becomes more automated.
“There are just more ways they can hack you,” he explains in a telephone interview from New York, adding that he doesn’t believe the mining industry is prepared. “You can’t deny cybercrime is one of the biggest threats to business and to our financial security in general, and I just don’t think the mining sector is as attuned to this threat as are many other industries.”
Hart’s views are echoed by Sarah Bloom Raskin, Deputy Secretary of the U.S. Department of Treasury, who urged financial and public institutions during a speech in March to recognize the risk of cyberattacks “as perhaps the most pressing operational risk of our time.”
According to PwC, cybersecurity incidents surged 48% year-on-year in 2014. PwC surveyed 9,700 respondents worldwide and found that the average loss from a cybersecurity incident last year was $2.7 million, up 34% over 2013, and that there was a 92% increase in companies reporting a loss of $20 million or more.
Be the first to comment on "Editorial: No silver bullet for cybercrime"