LAW
How to manage the risk of cyber attacks By Ruth Promislow
C
ybersecurity attacks remain a primary business risk for mining companies. These attacks typically involve encryption of the company s data, e filtration of the data, demands for payment of a ransom fee, and public ‘shaming’ – a newer technique – where the criminal actor reaches out to employees, c stomers or vendors to advise that their confidential information has been stolen. Cybersecurity preparedness is key to minimizing both the risk of being victim to an attack and the impact of such attack. elo are five ey steps that mining companies or any company) can take to manage the risk of cybersecurity incidents. 1 | Do not delegate cybersecurity preparedness to IT Managing the risk of cybersecurity incidents is not simply a matter of information technology . ris management framework that engages various divisions of the company, incl ding , is re ired. t a senior o cer level, an individ al responsible for ris management should review the following and then make informed decisions about how best to manage the risk: > the specific ris s of attac the company faces e.g. ho could an attacker compromise the company either through a direct attack or an attack on a third party, and what harm to the company or third parties could arise from such incident); and > the potential dollar val e impact of those ris s e.g. costs of business interruption, containment, remediation, risks of regulatory inquiry and litigation). With a framework of the risks and consequences, the mining company can then develop relevant policies and protocols to control for the risks that are particular to the organization. For example, an attack on a supplier or vendor whose operations are integral to the business of the mining company could interrupt the ability of the mining company to operate. The relevant policy and protocol would involve the insertion of key contractual provisions in the agreement with this third party to control for this risk. Such provisions may require the supplier or vendor to employ a certain level of security safeguards, to notify the mining company of relevant sec rity incidents, provide indemnification of specified ris s, and or proc re cyber ins rance. 2 | Patching The failure to patch software to control for known vulnerabilities remains a frequent gap in cybersecurity preparedness. atching involves a modification to soft are to improve among other things its sec rity based on imperfections or v lnerabilities that have been identified.
6 | CANADIAN MINING JOURNAL
The absence of a strategy to address patching is often the source of cybersecurity incidents. Mining companies should ensure they have a written policy and protocol to address the key elements of patching incl ding ho is responsible for overseeing the patching, the timeframe within which they are required to patch, and a list of all software used by the company). 3 | Backups Having off-line, off-site and tested backups of data is key to being able to recover from a ransomware attack without the need to pay the ransom demand. Management should speak ith the person responsible for to nderstand hether and hy is confident that the mining company can recover sing backups in the face of a ransomware attack, approximately how long it would take to recover from backups and how the recovery process would affect operations. 4 | Employee Training Human error accounts for a substantial percentage of cybersecurity incidents. Typically, the human error involves an employee clicking on a malicious link, leading to the installation of malware onto the company network. Regular training of employees is critical to minimizing this occurrence. Further, if organizations track the nature of attempted attacks, they will be better e ipped to tailor the training for specific gro ps within the company to address the particular risks they face. 5 | Land mines in the face of an attack n the face of an attac , there are ey steps to ta e on an rgent basis including the following: > remove the intruder and any hidden traps set by the criminal actor; > preserve forensic evidence to inform how the intruder compromised the company and what they did while they had access to the network; > comply ith reg latory compliance obligations hich may involve multiple jurisdictions and short timeframes within which to report); > control the narrative in the public domain; and > manage litigation ris avoid damaging paper trails and preserve legal privilege). cting at an early stage ith the assistance of e perts incl ding external counsel and a forensic team) can help reduce the costs associated with containment, recovery and response to the attack. CMJ RUTH PROMISLOW is a partner at Bennett Jones, Toronto.
www.canadianminingjournal.com
