Part 3 – Why Software Licenses Should Include Disaster Recovery
The US digital economy has seen a triple-digit increase in cybersecurity threats with a wartime posture among bad actors that is only accelerating the overall trend toward increasing sophistication, size, and volume of cyberattacks. As energy leaders navigate mounting cybersecurity challenges, key concerns are top of mind including how to ensure business continuity, keep business data safe, and thwart rapidly growing attacks with shrinking IT budgets. W Energy Software’s manager of cybersecurity, Michelle Pellon, brings her voice of authority to our blog where she presents an essential checklist for protecting your software supply chain by working with vendors who understand the risks, have a disaster recovery plan, implement certified security controls, and continuously collaborate with security partners.
These are dangerous days in the digital oilfield. Our digital pipelines and oil & gas business software represent a vast, complex, and constantly evolving ecosystem that extends from the wellhead and back-office systems to critical midstream infrastructure spanning US basins. Custody transfer and hydrocarbon measurement, well, that’s the oilfield’s cash register and digital vulnerabilities up and down the value chain put your revenue at risk. With record-high commodity prices and windfall profits, oil & gas companies are looking even better to ransomware attackers, not to mention a geopolitical situation where President Biden has just recently advised may spillover into US cyberspace.
Over the course of this blog series, I am recommending that you challenge each and every vendor in your software supply chain with a core set of questions that will reveal their readiness to prevent and manage the impact of cyber-attacks. In my first two posts, these challenges centered on vulnerabilities in third-party components (i.e., the bill of materials your vendors should provide without you having to beg for it) and the people, processes, and tech your vendors have in place to protect your data. Today, I am asking you to challenge your vendors further by asking them: what is your plan for recovering data and ensuring my oil & gas business continuity if your systems, software, and data infrastructure are successfully attacked?
Let’s Talk About the Digital Elephant in the Room
When it comes to information security readiness and cyber-resilience, a lot of focus is placed on prevention with many IT teams believing that if you throw enough tech and security policy at the problem successful cyber-attacks can never happen. I am in the camp of plan for the worst, hope for the best. Information security readiness goes well beyond prevention, which unfortunately most oil & gas software vendors have yet to master. Highly effective readiness includes having a plan in place to rapidly recover from a successful cyber-attack.
In oil & gas, we’ve become familiar with the term “big data,” which is the increasing volume, variety, and velocity of information in the oilfield. Same idea in cyberspace – big threats to your business continuity are emerging from the increasing volume, variety, and velocity of cyber-attacks. So, the elephant in the room that most of us like to avoid talking about is not if, but when your team and the software supply chain you rely on will be impacted.
6 Impact Areas for Oil & Gas Teams
There are many ways a successful cyber-attack can damage your business, starting with the immediate impact that a complete loss of data will have on organizational output. If you are an E&P, that means your land department has to fall back to managing leases and tracking obligations by sifting mountains of paperwork. Field data capture comes to an immediate halt, and you instantly lose visibility into production, revenue, and lease operating expenses. Oh, and that on-premise production accounting, division order, and revenue disbursement software you license has been completely wiped out with no data backup safety net from the vendor, leading to organizational gridlock while all of your interest owners go unpaid.
Cyber-attacks can threaten your capacity to even continue operating, which has far-ranging negative impacts not just internally, but also in terms of reputational and brand damage. Our industry is built on reputation and the trust we place in oilfield transactions, all of which suffer long-lasting damage from loss, theft, or corruption of your stakeholder’s data as well as the spillover (spread of malware or vulnerabilities) into your partners and customers.
And it only gets worse from the legal and regulatory impact of cyber-attacks, which can result in fines and other costs of not being compliant with government agencies for the period your organization is down.
Finally, there is the financial impact beyond lost oil & gas revenue, such as higher cybersecurity insurance premiums (if you are lucky enough to have any) and the cost of incident response services to recover your business continuity.
W Energy Software’s Disaster Recovery Plan
Every vendor in your software supply chain should provide your oil & gas team with assurance that no matter what happens on their end, your data and ability to continue operating is a priority. Disaster recovery should be part of the license in my view, just as important as the core business functionality you pay for. A solid cybersecurity insurance policy is part of the solution but just like trying to get life insurance, if a vendor’s information security health is questionable, they may not even qualify or be forced to pay outrageous premiums that they pass back to customers/you.
W Energy Software not only has great cybersecurity insurance, but we also know exactly what healthy information security looks like, build cyber-readiness into our DNA, and ace our insurance application every year. But vendors must do more.
W Energy Software delivers software as a service, or SaaS, hosting 100% of our solutions and customer data on the world-class Amazon Web Services (AWS) cloud. When your solution is delivered as a SaaS solution, the reliability of the security apparatus that protects customer data is wholly the responsibility of the vendor versus on-premise oil & gas software which completely dodge the responsibility of ensuring data and business continuity.
We provide our clients with robust disaster recovery options using technologies such as AWS Simple Storage Service (S3) and Cross-Region Replication. We provide daily backups of your oil & gas business data, stored in geographically distributed locations online and physical media, and – this is important – we test our backups to ensure they’ll work when needed.
W Energy Software goes even further to help recover clients from a cyber-attack by minimizing spillover. Each client’s data is completely isolated, protected with bank-grade encryption, and only accessible over the web using Secure Sockets Layer (SSL), so one impacted client can have less impact on others.
One major advantage of W Energy Software is our unified energy-focused SaaS ERP. If you rely on 6 software vendors to run your oil & gas business then that leaves a lot of room for potential threats to creep into your organization and, as I’ve argued throughout this series, the maturity of information security among most energy software providers is very low. On the other hand, upstream and midstream clients of W Energy Software can minimize their software supply chain footprint with a single vendor through our integrated suite of oil & gas solutions, all while running their business on the latest technology optimized for the cloud and safeguarded with the right measures to protect and even rapidly recover from cyber-disasters.
Be sure to read or revisit my introduction to this series where I identified the growing threats in the digital oilfield and stay tuned for my next blog on teaming up with cybersecurity partners to force multiply information security advantages.