Data Security Alarms Should Be Sounding for Oil and Gas

By Tyler Chase, Managing Director
Energy and Utilities Industry Leader

 

 

 

Oil and gas industry executives don’t need to see a new Wikileaks story about secret CIA hacking tools or hear more about the electronic penetration of presidential campaigns to understand the seriousness of a potential digital hack to their operations.

But it’s a large step from knowing a risk exists to being ready for it. Achieving confidence in the ability to manage such risk can involve substantial new investments and operational adjustments, even for an industry accustomed to meeting regulatory, operational and market challenges.

Protiviti’s recently released 2017 Security and Privacy Survey indicates that oil and gas companies are facing their cybersecurity challenges in ways similar to other industries. The survey’s main findings include:

  • Nearly one in five companies cannot confidently identify or locate their “crown jewels,” or most valuable data assets, because they lack an effective enterprisewide data classification scheme and policies.
  • How well companies manage their vendors’ security practices marks a notable difference between top security performers and the rest.
  • Companies with a high level of board engagement in information security issues rate considerably higher than those without such involvement in nearly all facets of information security best practices. These companies also report a higher level of confidence in their ability to prevent an opportunistic data breach.

These findings largely correspond to what we have seen among our own energy clients. One difference we have noticed, however, is that energy companies tend to have little to no formal documentation on testing of security incident response plans, compared to other industries. This could mean that energy executives have not substantiated a basis for the same level of breach-prevention preparedness as some other industries. I would argue that as a critical infrastructure, they should.

Although Protiviti energy clients indicate they are committed to security, we see about the same 38-percent level of compliance with implementation of the five core information security policies identified in the Protiviti survey: acceptable use, records retention/destruction, data encryption, information security, and social media policies.

In addition, energy companies, specifically those in exploration and production (E&P), have been hesitant to invest in tools to identify where their “crown jewels” are stored, apparently on the basis that many do not feel their company is much at risk because it does not retain much sensitive data. However, many common processes at E&P companies (i.e., escheat and royalty owner payments) do involve sensitive information protected by state privacy laws (e.g., individual tax ID numbers are actually Social Security numbers). Further, company confidential information, such as reservoir data, land acquisition data, and merger and acquisition activity, would be considered data that requires identification and protection. Very commonly, even where these processes are mostly manual, this information is digitized (e.g., scanned documents) or entered into a system. If the company does not know what data exists and where, it will have a difficult time protecting it.

Energy executives and boards would be wise to ask themselves some worst case scenario questions and know the answers now rather than having to discover them under fire later:

  • If our data assets were compromised, could they be reconstructed, and how long would it take?
  • If field operations were disrupted by an attack on the operational control system, how much revenue would be lost per week? Per month?
  • If competitors or counter-parties were able to learn confidential details of our strategies and plans, where would our company be most vulnerable?

The bottom line is that what you don’t know, such as where your critical data is, can, and eventually will, hurt you. With all issues of cybersecurity, it’s only a matter of time.

Alyssa Brister and Luis Castillo from Protiviti’s Technology Consulting practice contributed to this post.

Board-Level Cybersecurity Discussions Must Be Proactive, Have Substance, and Inspire Real Change

By Gordon Tucker, Managing Director
Technology, Media and Communications Industry Leader

 

 

 

Cybersecurity is a hot topic in most boardrooms today. Not a shocking revelation, certainly. But keep in mind that, in many organizations, it has taken a long time for this issue to even become an agenda item for the board. Among them are technology, media and communication companies, which should be helping to set the standard for cybersecurity best practices. Many of these companies are doing that, of course, but others still have a lot of work to do.

While it is good news that more boards of directors are talking about cybersecurity, there is a problem: These discussions are too often prompted by a headline-grabbing data breach or hack that has rattled the business or its peers in the industry. This reactionary approach needs to change if boards and executive management truly want their organizations to be prepared to weather a cyberattack or other disruptive cyber event, and its potential consequenses.

Success in a digitized world hinges on effective cybersecurity

Taking a more proactive view toward cybersecurity will also help businesses to succeed in a digitized and hyperconnected Internet of Things (IoT) world. At the World Economic Forum’s annual summit in Davos, Switzerland, this year, cybersecurity experts discussed how this rapidly emerging world will help businesses to reach new heights of productivity — provided they build effective cybersecurity.

This future is not far off, which is why there is an urgent need for boards and executive management to change how they talk about cybersecurity. They need to focus less on worrying about the potential reputational or financial risks of a single embarrassing cyber incident, like a phishing campaign that targets the CEO, and focus more on helping the business define and develop an overarching set of activities that will help it create a stronger, more resilient security environment.

Board engagement as a cybersecurity success factor

For those boards that still view cybersecurity as primarily an “IT problem” — and they are still out there — Protiviti’s 2017 Security and Privacy Survey presents some findings that should help to change at least a few minds. The research found that organizations that are top performers in terms of adhering to security and privacy best practices have two critical success factors present:

  • Their boards of directors have a high level of engagement in, and an understanding of, information security risks that the organization faces.
  • They have a comprehensive set of information security policies in place, including acceptable use policies, data encryption policies, and social media policies.

One-third of businesses surveyed describe their boards as highly engaged with information security risks. This is a five-point increase from the 2016 survey. Protiviti’s survey report notes that this positive trend “reflects the fact that the [information security] issue is not merely about technology, but rather represents a top strategic risk” for today’s businesses.

Fostering more meaningful discussions

In addition to seeing security as just an IT’s problem, another reason many boards fail to have meaningful cybersecurity discussions is the sheer complexity and tremendous scope of the issue. Technology touches almost every aspect of the business, and cyberthreats that target systems and data are growing in sophistication. IT teams themselves struggle to understand the rapidly evolving cyber risk landscape.

Another problem: Boards are often provided information about cybersecurity risks that is far too technical. Cyber risks and recommended solutions for addressing them are not being described by technology leadership in business terms that the board can swiftly analyze and make decisions on.

In our 2017 Security and Privacy survey report, we recommend that technology leaders take care to clearly communicate relevant security matters to all stakeholder audiences. For boards, in particular, they should provide information in nontechnical terms to the extent possible, and prioritize discussion of issues based on the business risks that each risk poses to the organization.

By the same token, Protiviti’s security experts who authored the survey report advise boards to start “asking more, and more detailed, questions about organizational security efforts.” These questions, which should be posed to business, technology and internal audit leaders alike, should include:

  • Do we know how the company’s critical data is collected, stored and analyzed?
  • What framework or activities does the business have in place, or is it developing, to help protect our data and our intellectual property?
  • How is the success of those activities measured?
  • If the organization experiences a significant breach, what is the response plan?
  • How are employees trained on cybersecurity issues, how often and by whom?

These are just some examples of baseline questions that can help boards at technology, media and communication companies begin to have more productive and forward-looking conversations about cybersecurity with the business. More important, these questions will help to lay the groundwork for proactive discussions about emerging risks around digitization and the IoT — the next major technological challenges that technology, media and communication businesses must be fully prepared to face if they are to survive.

Some Considerations for Manufacturers as U.S. Lawmakers Work to Peel Back Regulations

Sharon LindstromBy Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

 

 

 

It took the new Trump administration essentially no time to start issuing executive orders and presidential memoranda designed to ease regulations on U.S. businesses. Certain changes the administration is advocating would be welcome news for manufacturing and distribution companies, such as:

  • A presidential memorandum that is intended to streamline federal permitting processes for, and to reduce regulatory burdens that affect, domestic manufacturers.
  • An executive order that orders a review of the Dodd-Frank Wall Street Reform and Consumer Protection Act (DFA). Scaling back these financial regulations, which were instituted in 2010 following the financial crisis, would reduce reporting requirements for many businesses.

Potential Suspension of DFA Section 1502

One DFA-related change that the Trump administration is reportedly considering could benefit many manufacturing and distribution companies: suspension of Section 1502. The so-called Conflict Minerals Rule requires certain public companies to disclose whether they use specific conflict minerals that originated from the Democratic Republic of the Congo or nine adjoining “Covered Countries.” Conflict minerals, such as tin, tantalum, tungsten and gold, are used to manufacture products across a wide range of industries, including technology and consumer products. Section 1502 required companies to assess whether any manufactured products contained such minerals and determine whether these materials originated in the Covered Countries by conducting supply chain due diligence and reporting annually.

Overtime Exemption Rule on Ice

The future is also uncertain for the controversial Fair Labor Standards Act overtime rule, which was introduced during the Obama administration and was supposed to go into effect on December 1, 2016. The rule increased the threshold for overtime pay whereby salaried workers who earn less than US$47,476 annually would be eligible for overtime pay when they work more than 40 hours a week. Companies must either compensate these workers with overtime pay or raise their salaries so they are above the threshold.

The National Association of Manufacturing’s Center for Manufacturing Research has estimated that overtime costs for manufacturers will reach $24 billion within the next 10 years under the Obama overtime regulations. However, the final overtime exemption rule under the Fair Labor Standards Act was blocked by a federal court in Texas one week before its effective date. In January, the Trump administration essentially put the rule on ice following a regulations freeze.

Regulatory Risk: It’s Still Out There

Manufacturing and distribution executives must consider the potential risks that accompany regulatory changes that are already in the works or that may be on the horizon. Industry executives who took part in the latest Executive Perspectives on Top Risks Survey from Protiviti and North Carolina State University’s ERM Initiative cited the following as a top risk for their companies in 2017: Regulatory changes and regulatory scrutiny may heighten, noticeably affecting the manner in which our products or services will be produced or delivered.

Change takes time, and many of the regulatory changes proposed in recent weeks could take years to fully play out. As The Wall Street Journal noted in a recent article about Trump’s executive order stipulating that government agencies eliminate two regulations for each new regulation they introduce: “[Any] effort to scrap a regulation triggers its own process, complete with draft rules, comment periods, and regulation rewriting. That process [also] can be subject to litigation.”

While certain changes would be welcome by manufacturing companies, the changing global trade landscape must be monitored vigilantly, as well. The Trump administration’s approach to trade and negative view toward multinational trade agreements are likely to create previously unanticipated challenges, costs and risks for manufacturing and distribution companies inside and outside of the U.S. For some of these businesses in the U.S., any potential regulatory relief may be offset, at least in the short term, by revisions to free trade agreements that could impact the ability to conduct business with trusted partners in other countries.

Still, for now, manufacturing and distribution companies have a lot to be optimistic about. Even before Trump took office and started taking steps to ease regulations, there were signs that the U.S. manufacturing industry was beginning to grow again. The Institute for Supply Management Index hit 56 percent in January, rising 1.5 percentage points from December and exceeding many economists’ expectations. This is the fastest pace of growth in more than two years.

Building Cyber Resiliency Is the Path to Better Brand Protection for Consumer Products and Services Companies

Rick ChildsBy Rick Childs, Managing Director
Consumer Products and Services Industry Leader

 

 

 

Last week, I wrote about customer loyalty, and how a strong cybersecurity program can help ensure the trust of consumers. Here are some fresh stats about the business impact of cyber threats that consumer products and services executives should know about: In 2016, one in five businesses lost customers due to a cyber attack. Nearly 30 percent lost revenue. About one-quarter lost business opportunities. And when a breach occurred, brand reputation was one of the top areas of the organization to be affected, right behind operations and finance.

These unsettling findings are from the Cisco 2017 Security Capabilities Benchmark Study, featured in Cisco’s latest cybersecurity report. Combine these data points with all the news about recent hacks and breaches involving major retailers, restaurants, hotels, and other consumer products and services companies, and it becomes crystal clear why industry executives are extremely concerned about cyber threats.

In the latest Executive Perspectives on Top Risks Survey from Protiviti and North Carolina State University’s ERM Initiative, which I referenced in my recent post, respondents from consumer products and services businesses also cited the following risk among the top five for their industry group in 2017:

Our organization may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt core operations and/or damage our brand.

The research also shows that the risk score for this concern increased significantly from the 2016 survey.

Consumer respect and trust are at stake

For consumer products and services companies that spend millions of dollars annually to cultivate and promote their brand image, a hack or a data breach can be devastating to their reputation — and their bottom line. These events can lead not only to long-term brand damage, but also the loss of the public’s respect and trust. This is especially true if customer data is compromised or stolen, leaving people at risk for financial loss and identity theft. Even if a company can recover quickly from such an event and make things right with its customers, its image will likely remain tarnished for some time to come.

Unfortunately, cyber threats (and privacy concerns) will become only more severe as businesses and consumers increase their reliance on technology in all aspects of their lives; digital commerce and mobile payments continue to grow; and the emerging Internet of Things (IoT) expands. Over time, consumer products and services companies will need to significantly increase the data they collect to provide highly customized products, services and experiences to their customers.

These trends underscore why consumer products and services businesses must make improving cybersecurity and building cyber resiliency even higher priorities — starting now.

Developing a world-class response to a high-profile crisis

Most executives today understand that a cyberattack is not a matter of if, but when, for their organization. Taking steps to prevent hacks or breaches should always be a high priority for any business, of course. But what is even more important is creating a well-thought out and tested action plan that will allow the company to respond swiftly to a cyber incident, mitigate the impact of that event on the business and its customers, and protect the brand.

A recent issue of Protiviti’s Board Perspectives: Risk Oversight offers some insight that can help consumer products and services companies better protect their brand reputation in an increasingly treacherous cyber threat landscape. One of the “10 essential keys” to risk management outlined in the document —developing a “world-class response to a high-profile crisis”— is particularly relevant to the cyber threat discussion.

Creating a world-class response requires that the board of directors and executives ensure, long before a crisis hits, that:

  • The risk assessment process has been designed to identify areas where preparedness is needed.
  • A crisis management team is in place and prepared to address a specific sudden crisis scenario; otherwise, a rapid response will be virtually impossible.
  • Response teams are supported with robust communications plans that emphasize the importance of transparency, straight talk and effective use of social media.
  • Response teams update and test their rapid response plans periodically.

These actions can strengthen organizational resiliency. When developed with cyber threats specifically in mind, they help to build cyber resiliency. Preparing to reduce the impact and proliferation of a cyber event is paramount for any modern business. For consumer products and services companies, it can make all the difference in maintaining their customers’ trust, preserving the long-term health of their brands, and being able to confidently face the future.

Customer Loyalty Through Better Security — and How to Achieve It

Rick ChildsBy Rick Childs, Managing Director
Consumer Products and Services Industry Leader

 

 

 

Customer loyalty programs are among the basic building blocks of successful consumer products and services companies today. These programs are not only competitive differentiators, but also key drivers of revenue and profits for retailers, restaurants, hotels, airlines and many other businesses. The success of loyalty programs, however, hinges on more than inspiring customers to opt in and offering them rewards that they find compelling. Consumer trust is also essential.

Consumers want to be assured that the companies they interact with through various touch points — online, offline and through mobile applications — are doing everything possible to protect their personal data and privacy. Even millennial consumers, who are generally more willing than customers in other demographic groups to share personal information with businesses in exchange for rewards, have high expectations that companies will keep their data secure and respect their privacy. And if the companies don’t, they are quick to hold them accountable.

Privacy concerns are weighing on the minds of executives in the consumer products and services industry this year, according to a survey, Executive Perspectives on Top Risks for 2017, from Protiviti and North Carolina State University’s ERM Initiative. Representatives of this industry group who took the survey ranked the following concern third among the top five risks: Ensuring privacy/identity management and information security/system protection may require significant resources for us.

Digitalization, the IoT and cyberthreats add to the challenge

Like most things related to information security in a digital world, privacy, customer identity management and information security are all easier said than done. In fact, they are becoming only more challenging for consumer products and services companies as these businesses:

  • Introduce more mobile and digital offerings to their customers
  • Collect, store and analyze more and more customer data from applications and devices
  • Develop and use applications and devices designed for the rapidly emerging and highly interconnected Internet of Things (IoT)
  • Embrace digitalization and migrate “analog” approaches to customers, products, services and operating models to an “always-on,” real-time and information-rich marketplace

It is hardly surprising then that consumer products and services businesses face a constant barrage of sophisticated and stealthy cyberthreats designed to target customer and payment information.

Recent high-profile data breaches and targeted hacks involving major retailers, fast food chains and hotels are just the latest headache-causing wrinkle as consumer products and services companies are scrambling to evaluate their ability to protect customer and payment information. (Executives no doubt had these incidents on their minds when responding to the latest risk survey: they also ranked cyberthreats among the top five risks for their industry in 2017.)

Drive results through strategy and collaboration

Certainly, there is no getting around the need for consumer products and services companies to devote more resources toward ensuring privacy, addressing identity management issues, and protecting information and systems. This is an imperative for any business that handles customer and financial data in a digital world. But organizations also must be very strategic when aligning and deploying these resources if they want to see results.

Developing the right strategy requires effective collaboration between the business and IT. If they are not doing so already, business executives in consumer products and services organizations should resolve to reach out to their counterparts in IT sooner rather than later.

Another party to include in discussions about privacy risk and cyberthreats this year: internal audit. We are seeing more organizations increasing business, IT and internal audit collaboration not only to address known risks, but also to help the business prepare for new challenges related to digitalization and the IoT. As Protiviti’s white paper, The Internet of Things: What Is It and Why Should Internal Audit Care?, explains, “Businesses developing and using applications and devices within the IoT must be aware of how the data they are collecting, analyzing and sharing impacts user privacy.”

Engaging business, IT and internal audit leaders to share their perspectives on these risks will help consumer products and services companies to ensure they are doing everything necessary to protect their customers’ privacy and information in a digital and hyperconnected world. It will also give them more confidence to interact with consumers through more channels, and to innovate programs and other offerings that will earn — and keep — their business.

Cybercrime, Brand Damage Among Top Risks for Technology, Media and Communications Companies, Executives Say

gordon-tucker-3By Gordon Tucker, Protiviti Managing Director
Technology, Media and Communications Industry Leader

 

 

 

If improving brand protection isn’t a top-line agenda item in the cybersecurity discussions happening at the highest levels in your organization, it needs to be. In today’s era of lightning-quick social media sharing, brand protection has become even more important — and far more challenging — for technology, media and communications (TMC) companies. Two factors play a role:

  • Expanding use of social media and mobile applications by customers and employees: It is all too easy for outsiders to acquire and misrepresent personal and proprietary information.
  • The relentless tide of cyberthreats: The Identity Theft Resource Center (ITRC) reports that the number of U.S. data breaches reached an all-time high in 2016. Several leading TMC companies were among the businesses hit with high-profile, far-reaching, costly and reputation-damaging breaches last year.

In the face of these realities, including growing public disclosures of data leaks and breaches, many TMC companies are beginning to re-evaluate how they interact with other organizations and how they safeguard against breaches. Most C-level executives in this industry group also now realize that they themselves could be targets for hackers and other malicious actors seeking to gain access to personal records and other sensitive data.

There is no doubt that TMC executives, in general, are thinking a lot more about brand protection these days. In the latest Executive Perspectives on Top Risks Survey from Protiviti and North Carolina State University’s ERM Initiative, TMC executives ranked the following risks among the top five for their industry group in 2017:

  • Social media, mobile applications and other internet-based applications may significantly impact our brand, customer relationships, regulatory compliance processes and/or how we do business, and
  • Our organization many not be sufficiently prepared to manage cyberthreats that have the potential to significantly disrupt core operations and/or damage our brand.

On the cyber-risk front, it is important for TMC companies to recognize that the customer and financial data they handle are not the only targets for hackers. An organization’s intellectual property (IP) can be even more valuable to some threat actors, including nation states. The loss or theft of IP not only could undermine a company’s ability to compete but damage its brand and reputation in unanticipated ways.

Without question, loss or theft of any type of high-value data can have lasting, negative effects on an organization from both operational and brand perspectives. Everything negative that happens to a company and becomes public can damage its brand – and cyber breaches and loss of IP are some of the fastest ways for this damage to occur. Given these considerations, management and the board must work together to manage the brand and make brand protection one of the company’s top priorities.

To engage in effective dialogue on this topic, a recent issue of Protiviti’s Board Perspectives: Risk Oversight offers some guidance: Executives should take the lead in deciding what type of interaction they would like from the board and define how they want to involve the board in the brand protection process. And if the executives haven’t done this yet, then the board should waste no time in asking for their input.

“Stay Nimble”: The Mantra for Manufacturing and Distribution Companies in 2017

Sharon LindstromBy Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

 

 

 

For manufacturing and distribution (M&D) companies, which are already well-conditioned to operating in an uncertain global environment, 2017 promises to continue to keep them on their toes. At the very least, it is likely to present a mixed bag of new challenges and opportunities, and executives will need to ensure that their organizations are nimble enough to pivot quickly when faced with disruptive change.

Among the challenges that M&D companies may face this year are the potential negative impacts on trade stemming from the “hard Brexit” course that British Prime Minister Theresa May has set for the United Kingdom. Meanwhile, the new Trump administration’s approach to trade is already proving to be a source of consternation for longtime trade partners like China, Canada and Mexico. President Trump has already pulled the United States out of the Trans-Pacific Partnership (TPP) negotiations and is expected to sign an executive order to renegotiate the North American Free Trade Agreement (NAFTA). With the volume of cross-border imports and exports, the impact on M&D companies could be significant.

On the other hand, possible opportunities for M&D companies include easing and/or elimination of certain environmental regulations in the United States. President Trump told auto industry leaders at a recent roundtable that in the U.S. “environmental regulations are out of control.” Less than a week later, he signed an executive order to reduce regulation and control regulatory costs. The order requires that agencies eliminate two regulations for every one they propose. The Environmental Protection Agency is, of course, one of those agencies.

Also among the flurry of executive orders newly inked by Trump is the “Presidential Memorandum Streamlining Permitting and Reducing Regulatory Burdens for Domestic Manufacturing,” which “directs executive departments and agencies … to support the expansion of manufacturing in the United States through expedited reviews of and approvals for proposals to construct or expand manufacturing facilities and through reductions in regulatory burdens affecting domestic manufacturing.” This order is welcome news to manufacturers, especially those that already believed economic conditions under the Trump administration would be favorable to support their new facility or facility expansion plans. Furthermore, this order does not cover the corporate tax reform that is expected in 2017.

In short, there has been no shortage of dramatic change already in the new year. Interestingly, executives at M&D companies sensed months ago that 2017 would likely be another year of economic uncertainty for their industry – though they may not have known the exact kind or level of uncertainty it would bring.

When Protiviti and North Carolina State University’s ERM Initiative embarked on their research for the latest Executive Perspectives on Top Risks Survey, the Brexit vote had not yet taken place, and the major parties in the U.S. presidential election had not yet nominated their candidates. Nevertheless, executives cited the following as the number one and number two top risks for their industry:

  1. Economic conditions in markets we currently serve may significantly restrict growth opportunities for our organization, and
  2. Anticipated volatility in global financial markets and currencies may create significantly challenging issues for our organization to address.

Both of these macroeconomic risks held the same top positions in the previous year’s survey. This, in my opinion, reflects the ongoing challenges that M&D companies face in a global economy. These challenges are driven not only by political uncertainty and trade agreement considerations, but also by supply chain and sourcing vulnerabilities and currency devaluations.

All this underscores why “Stay Nimble” should continue to be the mantra for M&D companies this year. The rapid-fire changes we have seen so far should not lead to paralysis and/or stagnation. The old adage, “When one door closes, another one opens” has never been more true. The events that have unfolded in the first few weeks of 2017 suggest that businesses in this industry group should be prepared to adapt and innovate swiftly to take advantage of the doors that open.