Part 4 – World-Class Cybersecurity is a Team Sport
The US digital economy has seen a triple-digit increase in cybersecurity threats with a wartime posture among bad actors that is only accelerating the overall trend toward increasing sophistication, size, and volume of cyberattacks. As energy leaders navigate mounting cybersecurity challenges, key concerns are top of mind including how to ensure business continuity, keep business data safe, and thwart rapidly growing attacks with shrinking IT budgets. W Energy Software’s manager of cybersecurity, Michelle Pellon, brings her voice of authority to our blog where she presents an essential checklist for protecting your software supply chain by working with vendors who understand the risks, have a disaster recovery plan, implement certified security controls, and continuously collaborate with security partners.
Where there is smoke there is fire. In my first blog on software supply chain security, I dropped some large numbers on the increasing volume of cyber-attacks, but even if I didn’t have these numbers, you can still see just how cybercrime has become the new normal by the number of defenders who are also on the battlefield. In the US alone, there are approximately 3,500 cybersecurity firms teaming up with businesses of all sizes with most major insurance providers now offering cybersecurity coverage. And from the FBI and other federal law enforcement agencies to local government and industry knowledge-sharing groups, cybercrime is encountering stiff resistance from a united front.
Over the course of the last few blogs, I examined why oil & gas companies who want to ensure business continuity and protect against cyber-attacks should take a hard look at their software supply chain by exposing potential vulnerabilities not just in the core pieces of software they rely on but digging into the hundreds or even thousands of sub-components energy solutions are built on. I then went on to show what great information technology security looks like and how your software vendors should be prepared to help you recover data and restore your oil & gas business operations following a successful cyber-attack. Best-in-class cybersecurity takes more than what a single organization can muster on its own – fighting back requires pooling all available knowledge among security partners, the topic of today’s post.
Cybercrime: The Cost of Doing Nothing
Cybersecurity Ventures research estimates that cyber-attacks will cost companies around the globe $10.5 trillion annually by 2025, which is a $7.5 trillion increase from 2015. The cybersecurity firm also reports that cybercrime will increase 15% year-over-year, representing the biggest transfer of wealth in history.
It’s not just large enterprises that are under assault. Small and medium-sized businesses are increasingly the target of more advanced, frequent, and devastating cybercrime. The Cost of Cybercrime Study from Accenture cites 43% of all cyber-attacks now target small to medium-sized businesses yet only 14% of these companies have the people, processes, and technology in place to defend against cybercrime.
Think before you open and click e-mail.
Most cyber-threats (57%) are coming from phishing and social engineering, also more targeted forms called spear-fishing that single you out vs. a brute force spam approach and whale-fishing that targets executive leadership. And your identity is being targeted with 33% of cyber-attacks from stolen or compromised devices and 10% from credential theft.
With such a large-scale cybercrime problem, how can any business safely operate in today’s digital economy? And the digital oilfield ecosystem is no exception – despite being technology providers, most oil & gas software vendors are in the highly vulnerable small to medium-sized business category, many of which are demonstrably not interested in your cybersecurity.
The Value of Service Organization Controls
Have you asked your software vendor about their cybersecurity readiness lately? As part of license renewal or an RFP, perhaps your team requires a certain level of proof that vendors are “secure.” Some of your vendors may have even handed over their security score (akin to a credit score) yet the dubious nature of how these scores are obtained should be a big red flag. The gold standard you should be looking for is the Service Organizations Controls (SOC) certification.
At W Energy Software we will proudly tell you about our robust cybersecurity policies, readiness, and response plan, but we will also tell you not to take our word for it. Instead, we provide proof of our readiness through independent, third-party audits of our systems and security controls via a CPA firm that follows the rigorous SOC standards defined by the AICPA. Many of our clients entrust us with their financial data and as such any compromise of data on our end can impact their financial reporting. This is why we are fully certified in SOC1 Type II.
W Energy Software is also certified in SOC2 Type II, ensuring that our information security backend and controls are hardened against cyber-attacks. This is proved out by the auditing firm’s team who certifies our safeguards with penetration testing. SOC1 and SOC2 – if your other software vendors can’t provide these or attempt to provide a score instead, you are opening up your organization to significant cyber vulnerabilities.
Partnership and Collaboration, Keys for Cyber-Success
I’ve talked a lot about systems and controls as being critical to effective cybersecurity. Partnership is just as important, which is why I like to think about the ongoing high-stakes game with bad actors as a team sport. Cyber-attackers have gone mainstream and it’s big business. As an industry, we must respond by joining forces to leverage our mutual strengths, pool intelligence, and stay several steps ahead of emerging threats.
For obvious reasons, it’s not in the interest of W Energy Software or our clients for me to divulge exact details about our various security partners. I can say that we actively collaborate with cybersecurity firms and industry groups like the Oil & Natural Gas Information Sharing and Analysis Center (ONG-ISAC). And by actively, I mean each and every day, including federal law enforcement where we are plugged into the global security posture of bad actors through daily FBI briefings.
People, process, technology, and partnerships – W Energy Software has not only built a state-of-the-art oil & gas ERP optimized for the cloud, but we have also built world-class cybersecurity to safeguard our end of the software supply chain and ensure your oil & gas business continuity.
Stay tuned as I bring this blog series to an end in my next post where I’ll share my thoughts on why trust is imperative for a new, secure digital oilfield and why your software vendors should continuously innovate and add value when it comes to cybersecurity.