Skip to main content

Intelligence assured

Subscribe to future blog posts featured in our newsletter

Read more about how we handle personal data

Cybersecurity today is not only a technical challenge but also a human challenge - a matter of security culture. Criminals do not always only exploit technical deficiencies but often rely on people to access sensitive data and it is therefore the human factor that causes the most serious security breaches. Building and maintaining a strong security culture is therefore an extremely important part of cybersecurity work.

What is security culture?

Security culture is the shared values, conceptions, attitudes, knowledge and behaviour of individuals and groups in an organization focused on creating security in the business. Safety culture is about how employees' values affect the way they think and act in relation to risk and safety. It therefore has a great impact on how people work and influence employees on a daily basis.

security culture

What is a good security culture?

In a good security culture, everyone is aware of the risks and has both the knowledge and the will to contribute to reducing the risks through their actions. Security thinking is an obvious part of the business. In other words, the security culture has a great importance on how to work, prioritize and in different ways create the conditions for employees to work securely. Another thing that characterizes a good security culture in a workplace is that management prioritizes and handles security issues at all levels of the business and that they are part of the culture.

A good security culture reduces the risk of security breaches

According to NTT Security's Risk, Value Report 2019, it costs an average of EUR 3 million to recover after a security breach. For 2018, the figure was EUR 1 million, which means that the cost has increased dramatically. With a good security culture, you can minimize unnecessary security problems. This reduces the risk of major operational disruptions and high costs can be avoided in trying to repair the security breaches.

Young people are often less aware of the importance of security culture

According to a report from NTT Ltd, those under 30 are often the worst at security at a workplace. Millennials, ie those born between 1980 and 2000, have grown up with technology as a natural part, but that does not automatically make them more cybersecure, rather the opposite. For them, speed, productivity and flexibility are more important, and they often have a more relaxed attitude towards cybersecurity which actually makes them a ticking security risk. Making them aware of risks and teaching them how to work securely without becoming more inflexible are therefore priority measures.

steps to security culture

How do we improve the security culture?

To improve the security culture, attitudes and behaviors must change. Organizations must see cybersecurity and security culture as a business-critical activity, and not as an isolated IT issue and management must prioritize the issue.

What should permeate the work with the security culture is to think of security as something that enables the work – it does not hinder it.

Some simple concrete steps that everyone can follow are the following:

  • If you have something of value at home or in the workplace, you lock, have an alarm and keep track of who is allowed to come in. Do the same with digital information.
  • Don't use the same password for everything - and preferably use two-factor identification when possible
  • Remember to use a good password and never give out the password to anyone else
  • Avoid browsing public Wi-Fi networks where security is not the best
  • Do not click on links in suspected phishing emails and report to the IT department as soon as you suspect you have been subjected to a phishing attempt.
  • Try to have regular boost sessions where you talk about security and remind yourself about what security policies that exist, and where you also go through the contents of these.
  • Have updated devices - ie carry out all updates. The reason is that these updates contain security enhancements that you should of course be aware of.

Need help getting started with a better security culture at your workplace?

Welcome to contact us at Advenica. We have long experience in cybersecurity, know what is required and what procedures and processes you need to go through in order to create a strong security culture.
 

A cyberattack on oil and gas control systems can result in severe consequences to human safety and the environment in the form of ruptures, explosions, fires, releases and spills.
This implies that cybersecurity measures should be fully implemented in this sector. But that is not the case – which is a huge risk to both the society and the environment.

Oil & gas industry is dependent on digital technology

The ICS and SCADA systems used in this sector are dependent on digital technology. Oil and gas companies rely on highly connected data and control systems to facilitate exploration, drilling, system monitoring and to optimize production from onshore and offshore resources. 
Before, the networks used between process equipment and control systems were isolated from other networks such as internet, but that is no longer the case. The need to transfer production data to IT systems, and for remote maintenance of the systems, means that such separation is no longer practically possible. 

This increased use of automation within this sector is needed to manage costs, to extract the most value from currents assets and to maximise up-time. 
But as the dependence on IT technology has grown, so has the vulnerability to cyberattacks which leads to increased risk of threats to the ICS and SCADA networks.

oil & gas industry

Low cybersecurity awareness in the oil & gas industry

According to the latest report by Dragos the oil & gas industry is an especially valuable target for adversaries seeking to exploit industrial control systems (ICS) environments. One major reason being that this sector still has critical IT vulnerabilities left unprotected, ie cybersecurity measures have not been implemented.

One example of a company that was hit is Saipem, an Italian oil and gas industry contractor, that in December 2018 fell victim to a cyber-attack that hit servers based in the Middle East, India, Aberdeen and Italy. The attack, that used a variant of the notorious Shamoon virus, crippled between 300 and 400 servers and up to 100 personal computers, which led to the cancellation of data and infrastructures.

But why is the cybersecurity awareness so low in this sector?
A major challenge with all security is awareness and training among employees – to have a security culture. Malicious codes are usually spread due to human error through attachments in emails that are opened, memory sticks that are inserted, laptops that are connected to unknown networks etc. 
Within the oil & gas industry most of the staff is located onshore and a lot of work is done remotely. Attention to security, and building a security culture, is maybe then not the highest priority. Without this awareness, the right equipment is not installed, mistakes are more likely made, and the likelihood of unwanted incidents increase.

cybersecurity in oil & gas industry

How to work with cybersecurity in the oil & gas industry

With the sector facing such a high cyber risk, it’s more crucial than ever for oil and gas organizations to inhabit a cybersecurity culture and move from reactionary to proactive.

Employees must be informed about the risks and taught how to minimize vulnerabilities. Old equipment and systems must be replaced, and networks should be separated. 
To protect data in ICS/SCADA environments, organizations in the oil and gas industry also need technical solutions that prevents leakage and maintains network confidentiality. Robust cybersecurity is an absolute necessity for safe, continuous and reliable operations and can be a reality with the right solutions.

Need some help?
Advenica has a long experience with cybersecurity and with securing critical data. We can help you with cybersecurity advise on how to build a cybersecurity culture and with future-proof high assurance cybersecurity solutions that will make sure you can have a secure digitalisation.

Most welcome to contact us!