Cybersecurity risks – how might mining businesses reduce the threat?
For any modern business it’s certainly hard to operate without technology. In the mineral and resources sector, the role of technology is rapidly expanding – and along with this comes enormous potential in terms of business advancement.
The flip side is being aware of and managing the related risks. In particular, the damaging impact that a cybersecurity breach or attack could have upon a business.
The Australian cybersecurity threat landscape in the last few years has gone through an unprecedented amount of change. From a risk management perspective, the early focus was all about the protection and privacy of data. Businesses are now aware of their obligations under the Privacy Act, and the threats have evolved and broadened. For example, we have seen manufacturing – a vital industry to the Australian economy – become one of the most impacted sectors when it comes to cyberattacks, despite holding little to no sensitive data.
What this means is that cybersecurity risks and the types of events we are seeing have moved well beyond documented breaches of sensitive data in the retail and healthcare sectors. Cyber threat actors have shifted from hacking to obtain sensitive data and small scale social engineering scams to large scale extortion, targeting any business which is potentially vulnerable. This trend is of particular importance to those operating in the mineral and resource sector, which is also seeing an upswing in activity from hacking and cybersecurity threat events.
It's important to know that 96 per cent of all cyberattacks are directed at small and medium sized businesses (see CFC Cyber Insurance Guide, 2022). Cyber criminals will always look for the 'easy targets’, and as such it’s not often the large organisations they want to target, which in general have more sophisticated digital security systems in place.
cyberSuite is a cybersecurity company that often assist small and medium sized businesses with cybersecurity advice. They have ten recommendations a business can implement to prevent a cybersecurity incident or minimise the impact if one does occur. A snapshot of these recommendations is provided below.
1. Multi-factor authentication (MFA)
Implement MFA on all systems and applications, especially logon portals, APIs and inboxes for all users.
2. Validated backup and recovery for critical data
It is crucial to have isolated backups of your critical data, and practice restoration to ensure that the process is effective.
3. Cybersecurity awareness training
Education and training leads to building a security-conscious workforce.
Timely implementation of critical security patches can greatly reduce the vulnerabilities available for adversaries to exploit.
5. Application control
Using an application whitelisting, your business will only allow pre-approved applications on your network (e.g. MS Endpoint manager configuration profiles).
6. Implement privileged account management
Limiting the time and access of privileged users or groups.
7. Next-Generation Antivirus (NGAV) and Endpoint Detection and Response (EDR)
NGAV and EDR can be key to preventing an attack or identifying that an incident is developing.
8. Asset management
Identify high value assets as a priority and expand to include all hardware and software assets and asset lifecycle management.
9. Develop an incident response plan
An effective plan will detail the necessary actions and decision making required during an incident.
10. Legal advisory and obligations
Engage with your legal team to map all your legal obligations in a breach and maintain a register of all contracts that contain breach notification obligations.
Enhancing IT security is a great precautionary measure and will always be an evolving process. Nonetheless, we acknowledge hackers can still gain access and cause damage so a second risk mitigation strategy to reduce the potential impact is to consider cybersecurity insurance.
What is cybersecurity insurance?
Cybersecurity insurance exists to help protect businesses against the threat of cybercrime and provides both first party and third-party cover.
The early claims seen by insurers who covered cybersecurity incidents were mainly privacy breaches, as mentioned earlier in this article. One case was an IT business who misplaced or lost multiple hard drives that contained personal information for more than one million customers. The IT company incurred legal fees in relation to the regulatory investigation and defending legal actions brought by affected customers. In addition to the costs incurred from notifying customers where personal information had been lost, the company was also fined by the privacy regulator.
A cybersecurity insurance policy not only paid for these expenses; it also gave the business access to incident response services. These are technically-led response and resumption services that step in when a cybersecurity claim is notified to insurers; that is, insurer appointed teams that help you to get the computers back on, manage regulators and get the business back up and running again. The response teams are specialists and often have expertise beyond that of in-house or external IT consultants.
Apart from privacy breaches, two other common areas for claims are ‘social engineering’ and ‘business interruption’ claims.
Social engineering – case study
A financial controller in a consultancy firm received a call from someone purporting to be from the firm’s bank, explaining that some suspicious wire transfers had been flagged on the business account. The caller insisted the funds had been stolen, and to prevent further losses a password and pin code would be required to freeze the account.
The financial controller confirmed the pin code and password, and the caller confirmed that the freeze had been applied and that they would be in contact once the situation was resolved. However, upon calling the bank the next day, the financial controller was told that the bank had not in fact been in contact and that $170,000 had been wired out of the account and was too late to recall.
Because the transactions had seemingly been authorised, no reimbursement was offered by the bank. The cybersecurity insurance policy containing cybercrime cover covered the full amount lost.
Business interruption – case study
A transport company suffered a ransomware attack, where cyber criminals encrypted all of their data files including their routes, logistical information, key contacts, and stock quantities – as well as their payment processing capabilities. The hackers then requested a ransom of more than $27,000 in exchange for the decryption key.
The business refused to pay the demand and instead set about reconstituting data from a collection of paper records and their employees' knowledge of operations, though this resulted in a large amount of overtime costs. What was worse, however, was the loss of business income that resulted from the extended outage of their systems and the consequential impact on operations.
Due to the attack, the business was down $80,000 sales in the following month, amounting to nearly $1.7 million in lost revenue. Fortunately, after adjustment by their cybersecurity insurance provider, the business was able to recover nearly all of the financial loss suffered under their policy.
A good cybersecurity insurance policy goes beyond the core aspect of an insurance policy – paying for losses to put the business back into a financial position prior to that loss. It will also assist businesses with proactive services. These are the preventative services a cybersecurity insurer can provide 24/7 throughout the year to assist in preventing a cyberattack from happening to a business.
The most current wave of cybersecurity claims being seen by insurers are ransomware attacks. Since 2020, the average ransom payment has increased by around 100 per cent (Coveware quarterly report, January 2023). Tough privacy regulations and the accompanying fines have made extortion even more lucrative for online criminals, so attacks have become more frequent.
You only need to look at the enormous disruption caused by the recent cyberattacks against Medibank Private, Optus and more recently Latitude Financial to realise that cybersecurity risks are now often cited as the number one risk businesses face today.
The Medibank and Optus hacks prompted government to increase fines for massive data breaches to a maximum of $50 million.
A common question from businesses about cybersecurity insurance is whether the insurers are more likely to pay a ransom. The opposite is more often true. Businesses supported by a cybersecurity insurance policy have access to experts who can guide them through the incident and will attempt to recover their systems or data so that paying a ransom becomes the last resort. On the other hand, many small businesses without these resources assume that they have no other option but to pay.
Enhancing the IT security of a business is a vital step to securing business assets. In addition to this obvious step, cybersecurity insurance is a further valuable risk mitigation strategy for businesses to consider. It is not only an insurance policy to cover losses, it also provides access to a team of experts who work to prevent cyberattacks and can provide security advice.
This article provides general information, does not constitute advice and should not be relied on as such. Users should carefully evaluate accuracy, currency, completeness and relevance of information and seek professional advice relevant to their particular circumstances.
About Austbrokers Countrywide
Austbrokers Countrywide is the endorsed Insurance Broker to the AusIMM and has established an exclusive Professional Indemnity and Public Liability Insurance facility for members.
For more information, visit the website or contact the team at Austbrokers Countrywide about cybersecurity risks in general and how cybersecurity insurance might work for your business.