Risk management key to cyber strategy, says BP
Cyber attacks constitute a group-level risk that is managed as part of BP’s standard set of risk management processes, according to Bob Dudley, group chief executive of BP.
“We recognise cyber threats as a major risk and the need to have a system to manage that risk and minimise the impact of attacks,” he told the Global Cyber Security Innovation Summit in London.
Risk management forms part of the governance component of BP’s cyber defence strategy.
“Uncertainty is a fact of life, but we can be organised in our approach to managing risks by having a clear set of risk management processes in place,” he said.
One key process is aimed at identifying and prioritising each threat based on a risk assessment.
However, Dudley said as member of the highly-targeted energy sector, BP has a multitude of risks to manage and is constantly looking to innovations in cyber security to improve its defence capabilities.
“It is important to have a policy that sets out executive accountability and responsibilities of each member of staff, but rules are not effective without real defence capability,” he said.
BP regularly reviews its cyber risk policies as well as its cyber defence capabilities to achieve continual improvement.
Dudley said BP is constantly targeted by attackers seeking commercial business plans, seeking to disrupt operations and seeking to commit large-scale fraud.
“Thousands of pieces of malware try to get through our firewalls every day, and our employees are constantly targeted to steal their user credentials,” he said.
In an effort to educate staff to enable them to become frontline defenders, BP conducts regular awareness campaigns around issues such as keeping passwords safe and using unknown USB sticks.
“We produce regular videos to demonstrate the risks to staff,” said Dudley.
Phishing is also a significant threat, and BP conducts regular simulated phishing attempts with follow-up education sessions on identifying phishing for all those employees who click on risky links.
“We see phone phishing as an equal threat, and in the face of thousands of fake emails and calls, employees need to learn to recognise them,” said Dudley.
BP has introduced a “report phishing” button into its email application, which Dudley said indicates phishing awareness has risen from 75% to 86% across the group.
Awareness campaigns are backed up with regular cyber attack drills to ensure every employee knows what to do in the event of a cyber attack.
“Security controls are not enough – employees need to know they have a role to play and how they should respond to the worst-case scenarios,” said Dudley.
But threats to business are often threats to government and vice-versa, he said, which is why BP works closely on cyber security issues with the governments in the UK and the US.
“We welcome CERT-UK’s involvement of business and international partners, and welcome the opportunity of helping to shoulder the burden of cyber defence,” said Dudley.
“Unlike physical attacks, government many not control key assets in cyber attacks, and we are willing to do our share,” he said.
Dudley said energy sector firms could do more to help raise public awareness of cyber security issues, and that BP plans to expand its current public outreach programmes.
Energy firms could also share practical advice on how to improve cyber security with governments as well as the general public, he said.