James Morton and Paul Mills, AIG.
Protecting people against these threats has long been a priority for energy companies. But the risk landscape is evolving; employees are now facing new 21st century vulnerabilities as well as the evolution of more traditional risks. Companies need to adapt their people protection measures appropriately.
Cyber security is increasingly coming under the spotlight and rightly so. One of several recent incidents, a cyber attack in December targeted 400 servers located in the Middle East and Europe belonging to Italian oil-services company Saipem SpA, with investigations ongoing into where the attack originated or who was behind it. The issue is rightly moving up the boardroom agenda. According to Bloomberg, Michael Lewis, CEO of E.ON UK, articulated the feelings of many of his peers when he said that protecting itself and its customers across Europe is now a major issue for the company and that "an attack could be enough to destroy a business if it's not handled properly". Indeed, with most countries classifying energy assets as critical infrastructure, their cyber safety should now be seen as important as the physical security.
We know from our claims experience that in terms of cyber security failures, the two main risks to businesses have a significant people element. First, lack of user awareness can permit hacking by phishing for passwords. The user engages with the content of a phishing email and is directed to a fake login page where credentials are harvested, opening the victim's account to hackers. Users should ask themselves “do I trust this email?” and be aware that any request for login details is a red flag for phishing. And second, external servers with remote access combined with weak passwords offer an opportunity for the introduction of malware and ransomware. Remote access should be carefully controlled.
This is not straightforward given that people are increasingly expected to be online even when they're travelling and can face risks in seemingly safe locations. If they log on to an unknown Wi-Fi network, for example in an airport, hotel or restaurant, how can they be sure that the connection is safe and they are not potentially opening up the company systems to attack?
Despite the very real and rising threat of cyber terrorism, traditional risks still pose a considerable threat to energy companies. The oil and gas industry is the commercial sector most targeted by terrorism worldwide, according to Aon. The infamous attack in 2013 on a gas plant in Algeria that resulted in 40 deaths following a four-day hostage crisis is perhaps the most notorious example.
But this is an on-going threat. In February 2019 US energy company Anadarko Petroleum reported one worker was killed and several others injured in two related attacks near the construction site for its massive liquefied natural gas project in northern Mozambique. The same month France’s oil and gas major Total withdrew all its personnel from Venezuela as the political risk situation deteriorated.
Yet while terrorist attacks on facilities in far-flung places remain an ever present threat, the changing nature of terrorism is something of which all oil and gas companies need to be aware. Lone-actor attacks, such as those in Strasbourg in 2018, London and Manchester in 2017 and Paris in 2015 (to name but a few) have become the most frequent type of terrorist activity in the Western world, responsible for 70% of all deaths from terrorism in the West since 2006, according to the Institute for Economics and Peace. This shift towards localised civilian attacks means many companies need to re-evaluate the effectiveness of their risk management programmes.
Situational awareness training for corporate security and other personnel can help staff to recognise potential risks and vulnerabilities at an early enough stage to allow countermeasures to be taken to avoid it. Everyone in an organisation needs to be part of the overall security awareness programme not just security professionals.
But new technology, in the shape of mobile apps and GPS tracking, is an important tool for risk managers. Employees can receive information direct to their smartphone to help them prepare for their travel and the locations they will be visiting. Some apps can monitor the user’s precise location so that if an event were to occur – be it violence, natural catastrophe or a straightforward accident – the employer is able to look online and see which of their business travellers may be impacted by that particular event so that reasonable steps can be taken to safeguard and repatriate them. Other features allow travellers to push out confirmation that they are safe along with their location to their selected contacts.
And for employees that need emergency assistance, a single touch of a button can connect them with a 24/7 service centre that has medical, travel and security specialists on hand to provide support there and then.
Of course, mobile applications need a signal and a charged battery to operate. In circumstances where neither of these is available, pre-emptive training and preparation should come into its own. In an increasingly complex risk environment, energy companies need to draw on all the resources at their disposal to prepare and protect their people and their business.
This article first appeared in Insurance Day.