Changing Human Behavior Key to Thwarting Cybersecurity Attacks

Despite increased spending on technology to stave off cyberattacks, companies are getting compromised more and taking bigger hits.

The revenue of cybersecurity companies traded on the public market grew an annual average of 20 percent last year, said Rohyt Belani, co-founder and CEO of PhishMe, during a keynote presentation at the API Cybersecurity Conference Wednesday in Houston. But a PwC report found that the number of reported cybersecurity incidents rose by 48 percent this year, and the number of companies reporting cyber-related financial hits of over $20 million grew by 92 percent.

“We love silver bullets in cybersecurity,” said Belani.

However, companies using this approach will likely fall flat on their face. Just like living a healthy lifestyle is no guarantee against a person getting cancer, cybersecurity is about mitigating risk and rapidly responding to events. But cybersecurity preparedness provides no guarantee that an incident won’t occur.

“Often what I find is that people equate compliance with security,” said Belani, but compliance isn’t enough. Instead, a threat-based approach is needed.

The oil and gas industry loves shiny new balls, such as Big Data, Internet of Things, Hadoop clusters and analytic tools to address cyberattacks. But with 91 percent of cyberattacks starting with spear phishing, the industry still hasn’t gotten the basics down, said Belani.

Current cyberattack detection methods are failing. According to Belani, 31 percent of compromises are detected internally, while 69 percent of cyberattack victims are notified of the breach by an external entity. Citing the 2010 case of Times Square T-shirt vendors who notified police of a suspicious car parked nearby – turns out the car had explosives – Belani said oil and gas companies don’t need technical ninjas, but just for people to be conceptually aware of things that look out of place.

Instead, oil and gas companies need to study how to change behavior. And while compliance requirements are critical, companies need to create a work culture that makes it okay to come forward when mistakes are made, Belani said.

“Will we finally succeed at getting people not to be stupid?” Belani asked.

However, he does see hope.

“If we can train fighter pilots to land on aircraft carriers in the middle of the sea at night, we can teach workers to report suspicious things in rapid form.”

Despite the oil price downturn, cybersecurity still seems to be an area of focus for oil and gas companies, said Bill Stewart, who heads up Booz Allen Hamilton’s commercial cybersecurity business, in an interview with Rigzone.

The number of cyberattacks against oil and gas companies grew this year, and will likely keep growing in the near-term, Stewart said. The primary motivation behind cyberattacks today is to gain an economic advantage – such as stealing information on another company’s merger and acquisition plans, business strategies and hydraulic fracturing techniques and drilling plans. Nation-states appear to be behind attacks motivated by economic advantage, while actors such as the Iranians are more interested in destroying SCADA or IT systems via malware. Malicious actors are using Dark Web to exchange information, selling information they’ve captured but can’t use. Competition will likely continue increasing as Saudi Arabia continues dumping oil on the global market.

The good guys need to find ways to get more out of internet technology.

“Unfortunately, adversaries have a huge advantage in that they only need to find one way in. With new attacks occurring every day, the oil and gas industry faces the challenge of finding ways to quickly respond to new malware and new attack vectors,” Stewart said.

While the defensive systems used by oil and gas companies are getting better, many of these systems rely on pattern recognition, which cyberattackers are able to infiltrate. To cope, oil and gas companies are exploring the use of Big Data to look or and prevent attacks. Many large institutions are creating cyber-fusion centers, which monitor for physical security, cybersecurity and fraud, said Stewart.

At the macroeconomic level, the regulatory mandates addressing cybersecurity in oil and gas aren’t in place due to the government stalemate on the issue, said Stewart. While the U.S. government arguably has the best cyberdefense capability in the world, this capability is not applied in large measure to support commercial industry.