HOUSTON — Jones Walker LLP has released the findings of its 2020 Midstream Oil and Gas Cybersecurity Survey, examining cybersecurity preparedness in independent North America-based midstream oil and gas companies.
The results reflect the responses of 125 key executives, security and compliance officers, and general counsel, and confirm that cybersecurity remains a top concern for the midstream sector of the oil and gas industry — especially as companies grapple with the worldwide economic downturn, the reduction in commodity prices, and the increased dependence on remote work and autonomous systems due to the global COVID-19 pandemic.
“Similar to the 2018 survey, the Midstream Oil and Gas Cybersecurity Survey found that smaller companies are particularly vulnerable to cyber attacks,” said Lee. “These businesses typically do not have appropriate breach response plans, and hackers are looking to take advantage of their weaknesses.”
This survey is Jones Walker’s second on the topic of cybersecurity. The first was in 2018 and focused on maritime, another critical infrastructure industry. Jones Walker attorneys Andy Lee, Krystal Scott, and Ewaen Woghiren authored a report outlining the survey’s key findings:
- Avoid overconfidence. Although the majority of respondents believe that both the midstream sector and their own companies are prepared for a cyber attack, more than one in 10 suffered a successful breach.
- Know your enemies. To address cyber vulnerabilities effectively, companies must understand who and what they face. The survey respondents pointed to organized criminal groups as the top threat actors and to their own employees’ negligence as a source of major concern.
- Plan and practice for success. Survey results indicate that cybersecurity plans are not up to the task because they are either outdated or not practiced. Across all companies in the survey, 40% reported an attempted or successful data breach in the past year, but only 7% updated their written security policy during the same period.
- Match resources to the threat. Existing cybersecurity measures at midstream companies are varied and often do not correlate directly to their identified vulnerabilities. Companies indicated an increased focus on cybersecurity, yet only 38% of respondents will increase their cybersecurity budget this year. Further, despite increased vulnerability to cyber attacks during the COVID-19 pandemic, when more employees work remotely and often utilize a mix of personal and company-issued technology, 74% still do not have cyber insurance or cyber-breach insurance coverage.
- Partnering is sound strategy. Many companies work in isolation and do not take advantage of opportunities and cost efficiencies offered through industry collaboration and public-private partnerships.
“Despite the fact that there have been successful cyber attacks in the past year and that employees are considered a top threat, midstream companies still lack sufficient employee cybersecurity training — only 37% of respondents conduct annual trainings,” said Scott. “While employees pose a heightened risk to cybersecurity today due to increased remote-work conditions in response to COVID-19, a majority of midstream companies are not increasing cybersecurity budgets in the coming year. This may prove detrimental to the sector’s ability to thwart cyber attacks.”