Data Security: Staying a Step Ahead

Monday, July 13, 2020

Original article by  featured in the July 2020 issue of Permian Basin Oil and Gas Magazine, seen hereContributor Paul Wiseman

Any conversation with a corporate IT or cybersecurity person very quickly includes the phrase “It’s not if, but when and how bad” when the topic is the likelihood of being hacked. Employing good security measures in hardware, software, and the most important factor—people—does provide great protection. But, like Luke Skywalker slipping a bomb into a vent in the Death Star, hackers continually search for the tiniest vulnerabilities.

Adding to the challenges of both security and system capacity was the sudden switch to remote officing in March of this year. Basically, IT people were told on a Friday that, “On Monday, everyone will be officing remotely. Please prepare all systems for that. Have a nice weekend.”

There are three basic security concepts, said Jon H. Peterson, Seeq Corporation’s senior vice president of customers and planning. A software-as-a-service company, Seeq is loosely based in Washington State, but most of its staff work from home in various locations. It has a number of oil and gas clients. Peterson has extensive experience at data security as part of his job, even though it is not directly in his job title. The concepts he lists are: confidentiality, integrity, and availability.

Companies can achieve those by using authentication, authorization, and encryption.

Sharing of logins is never a good idea, he said, addressing the first two issues, because even between two people who both are allowed into a system there can be different levels of authority. One person may be at a “read-only” level while another may have “read and write” or something similar.

Peterson and others polled in this story all declared that training and communicating with humans is still by far the most important requirement in safety, especially as staff scatters to homes, lake houses, and coffee shops.

“Corporate LANs [local area networks] have a very protected perimeter, which is pretty open once you’re inside it,” he said. “So if I’m inside my LAN and I click on one of those phishing emails, [employees have the idea that] there’s not nearly the vulnerability to one of those coming from the outside because you’ve got this protective shell around you.” In truth, however, opening a phishing email can expose the entire LAN to being hacked.

But for working from home, there are two main options: the company can create a VPN (virtual private network) to extend the LAN to every worker. This has the advantage of allowing workers to access the full range of company data, while it also extends vulnerability to phishing.

The other option is to allow employees to access just the areas they need through the company’s cloud data portal. “In that situation, if I click on that phishing thing, I’m not going to damage the LAN—I might screw up my own computer—but the damage is really isolated” to just the home computer.

Because Seeq’s workforce operates almost entirely on a remote basis, Peterson and colleagues understand the need for caution online. “You end up being very resilient and very robust.” Many would recoil at the idea of having their data available online but, he noted, “In the software-as-a-service world, that’s kind of the way it is.” They work hard to make sure the software they themselves use is robust on its security features.

Using a third-party identity provider, one that specializes in identity security, provides one level of safety. The next level is multi-factor authentication, where a code is sent to a cell phone or email as part of the login process.

“You just increased security there because your users aren’t dealing with a dozen passwords any more,” he pointed out.

Limiting internal human error involves creating data security procedures and protocols, then training and reminding the humans of what they are. As part of that, hiring a company to do a comprehensive external audit of data safety is vital, said Peterson, something Seeq does on a scheduled basis.

The post-lockdown workforce is indeed a security issue, said Danos’s Information Technology Manager, Sonny Orgeron. Involved with data security for 30 years, Orgeron has been with Danos for 22 years.

“The rush of people to work from home, to work remotely, to work disparately, is actually putting pressure on the security pipes. So wherever you have a weak wall in the pipe, something’s going to burst through,” he said.

He considers a VPN to be, to technology what a car is to the highway. “Not all cars are made equally, and VPNs are not made equally. Some old cars are older than others and some VPN technology is older than others.”

It is important to keep investing in technology to stay ahead of the curve. Otherwise there could be vulnerabilities due to obsolete technology.

He agreed with Peterson that online safety is up to every employee. “We all do our part for [physical] safety in the oil and gas industry,” he said, “it’s not just the safety department. So why would it be just the IT department for [data] security? It’s not.”

In the 1990s, Orgeron recalled, data security only needed to be location-based. All servers and computers were in one office, and employees had limited need or availability of anything online. As long as antivirus software was installed on all computers, there was relative safety.

“Now, everybody has access—it’s almost like that’s part of being hired, you have to be able to work remotely 24/7.” So companies that have what he called “a BYOD [Bring Your Own Device] policy,” allowing everyone to use their own devices to access the network, should have clear and enforced security requirements for those devices.

That involves more than just having antivirus software—the user must install the virus file updates every time they’re available.

“It’s a layered approach, when you think about security,” he noted, adding that it’s like staying warm in the winter by layering clothing instead of relying on one huge coat for comfort. That’s vital in data security because, he said, “Not every technology’s going to catch every malicious actor.”

That layered approach must also be top-of-mind for every employee, to keep them from opening malicious emails. “Technology alone won’t resolve it,” Orgeron added. “Are you doing something to train [employees] or is it a once-a-year thing?

“Communication is the key in security. It’s the key in remote working. It’s the training—training is a big one. You can’t train without communication.”

That applies not only within a company, but among data security professionals. He stressed that the pros need to get early warning of rising trends in order to be proactive.

Using reputable “ethical hackers” to test systems is also revealing. Employees who open dummy hacking emails—an ironic phrase if there ever was one—show themselves to need some extra training before they cause a real incident, Orgeron said.

It is true that phishers get more sophisticated every day, making their emails ever harder to distinguish from the real thing—another reason for continued updates for every employee.

There are two particularly scary aspects here. One is that, Orgeron noted, there are classes and software tailored to both white-hat hackers—those who are performing a service—and black-hat hackers. Second is the number of what one might call “recreational hackers” who hack for the same reason Sir Edmund Hillary climbed Mt. Everest—“Because it was there.” Orgeron said the recreational hackers trade huge packages of personal data among themselves much like kids used to swap baseball cards—until that data finally ends up in the hands of someone who actually might use it for monetary theft, identity theft, ransomware, or any of a dozen other malicious purposes.

Now There’s Insurance for That

There’s insurance against the damage done by a data breach? Yes, says James Hou, JD, who is insurance and risk consultant for the Moody Insurance Agency of Denver, for whom data breach policies to oil companies and others is among its available insurance products. Hou is located in Houston.

For those who understand that even the best security can fail at times, Hou said, “There’s insurance for that.”

But as recently as 2014, he recalled, not even the largest companies had such insurance on their radar. The few companies that offered it had very low premiums, designed to try to interest companies in covering those kinds of losses, but few bought into the idea.

Even many companies who sold remote monitoring technology seemed clueless about security, beyond being aware that satellite or other technology carried the signal between the field and the office. IT professionals uniquely were focused on this issue then.

In those days companies were reluctant to pay for insurance out of a finite technology budget. They would tell Hou, “'I’ve got a million dollars budgeted for the year for cyber-things, and if I pay you $10,000, I’m taking $10,000 away from my IT team, so I’m not going to upset them by cutting their budget to feed you, so thanks, but no thanks.’”

Since then, large companies, including Sony, Target and others, including Equifax, had widely publicized data breaches and companies began to see their vulnerability and liabilities with data security.

As large insurers began offering the policies, between 2016 and 2018 the premiums were low, Hou said, because it was a new field and the insurers wanted to do two things—use the low data breach premiums to attract customers to other policy offerings and to allow the insurance company to research the field.

“Since 2018 that has changed,” said Hou, citing the fact that the premiums did not cover the claims. Insurers decided that getting data was no longer cost effective in light of large payouts. So premiums went up, but so did coverage. Previous payouts had often been no more than $50 million, which Hou said would not cover a breached firm’s losses in time, damage payouts, and other expenses.

The cost for some breaches can exceed $300 million. This can include internal time spent recovering crashed systems or, in the case of credit card numbers being hacked, the victim may have to pay the credit card company to reissue cards to all affected customers. The layers involved in such a hack can be deep.

Also since 2018, Hou said, insurers are requiring clients to verify their data protection programs before offering a policy. Some will send their own security specialist over to a prospective client to determine insurability. “That’s been a rapid development in the last year-and-a-half to two years.”

Eternal vigilance may well be the price of freedom, but it is also the price of doing business online.

Paul Wiseman is a freelance writer in the oil and gas sector.