Cyber security for small miners: 3 tips for boosting software security
The recent Optus data breach has put cyber security on every business owner and manager’s radar.
If you’re a Drilling or Exploration Manager, you might have been asked to conduct a risk assessment on your business's cyber security, or you might be proactively looking for solutions to help protect your data from a cyber attack.
Like many of our customers, if you’re working for a small or Junior sized company, you might not have the budget to get professional help to do this.
This is why I’ve written this series of blogs; to share with you some easy and free cyber security pointers that I’ve picked up over the years between my time as a fieldie, cyber security student and now helping mining companies at CorePlan with their digital transformations every day.
Previous to this article, I shared four easy and free ways you can maximise the inbuilt security settings on your devices and the number one piece of software every mining company needs as the foundation for any cyber security program.
If you read those articles or are in the midst of a risk assessment, you might now be wondering - what about our software subscriptions? Is there anything we can do to strengthen our account security in addition to having a strong password?
Today I’ll share three tips worth considering when tightening up your software security settings.
Before we get into the tips, if you haven’t already, I’d strongly recommend that you do the following:
- sign up for a password management system
- invite all of your staff to the platform
- encrypt your hard drive or the local files related to your password manager
- update your passwords with new secure passwords generated using your password manager.
(see my instructions on how to set up encryption if you haven’t done this yet).
Your passwords are your software stack’s first line of defence against cyber criminals, regardless of what settings you're able to turn on or off. So if you haven’t already - get yourself a password manager, stat!
Now, let’s dive into the tips.
1: Assign user and permission-based roles
Modern business software packages usually have the option to assign users under your organisation’s account to different levels of security clearance or access permissions.
These are called User roles or permission-based roles.
User roles can help ensure that sensitive information, like costs or your employee's personal information, can only be accessed by those who need to access it to do their jobs. For example, a Manager user role will be able to see all areas of a system, whereas a Driller or Geologist user role may only have access to daily drill report details.
Permission-based roles can help to enforce approval processes by only allowing a certain level of user to sign off on work or overwrite data (eg approving or editing plods).
As a general rule, the level of user access should typically equal the level of responsibility a user has in the business.
User role and permission settings offer additional protection in the case of staff turnover, disgruntled employees or individual user account hacks, as only the master account has access to everything (and you can rest easy knowing that the master account is secure because you set it up with your password manager!). Plus, it removes unnecessary distractions by removing visual clutter that's not relevant to specific job functions.
2: Turn on authentication or use SSO
If it’s an option, I’d always recommend turning on multi-factor authentication or two-factor authentication (2FA).
Authentication is an additional layer of login security. There are three types of authentication:
- knowledge (eg a password or security question)
- possession (eg a security key, text message code or google authentication code), and
- inherence (eg TouchID or voice ID), otherwise known as “something you know”, “something you have” or “something you are”.
2FA requires two types of authentication at login, and multi-factor requires two or more types.
What’s great about these options is that even if your password were stolen, a cyber criminal would also need to steal or hack your device or know further personal information about you to gain access to your account.
SSO is another login option that offers enhanced security benefits and hazard control by removing the need to create and manage additional account credentials. With SSO, you can use existing credentials like your Microsoft or Google details to log into a range of different software with a single click. This reduces the likelihood of staff using repeat passwords and saves time logging in to different systems throughout the day.
If you’ve worked at an enterprise-level company before, you may have used SSO quite frequently across a range of software. Right now, for the smaller guys, it’s prohibitively expensive. However, you can access benefits free of charge on a growing list of online Software as a Service (SaaS) products that connect to Google or Microsoft, so expect to see this a lot more often in the future.
A quick note: don’t use your social network credentials for work-related software. It’s best practice to keep these separate.
3: Keep your software stack manageable
Your software stack is the set of digital tools you use to run your business. Think Xero, Microsoft Office, Leapfrog, Micromine, AcQuire, Seequent etc.
These are powerful business tools, but like all good things, using software falls on a bell curve. There’s a point where it’s possible to have too much of a good thing, and it gets complicated to keep a handle on who needs to do what, by when and in which system.
There are a few things to consider in building a software stack.
Firstly, from a cyber security point of view, having loads of software tools increases the number of potential access points to your company data. Being diligent with using your password manager will provide some protection, but from a mining risk control perspective, higher-level controls (elimination, substitution) are preferable to lower-level controls (administrative controls).
I recommend looking at software that will help you to streamline and consolidate as many aspects of your workflow as possible into one program. This way, it’s easier for your team to stay on the same page and reduce the number of entry points cyber criminals can exploit to access your data.
Secondly, the more complex the software workflow and the higher the password burden, the more likely people won’t follow through with using it correctly. This can impact cyber security but also the integrity of the data if staff start cutting corners in order to keep up with the workload. Plus, it’s an additional frustration to their day that detracts from more important tasks like drilling or interpreting the data.
Depending on what’s offered by the products in your software stack, I’d recommend turning on the following settings:
- Delegate user or permission access role so each staff member only has access to the information they need for their responsibilities
- Turn on 2FA or multi-factor authentication (if it’s offered)
- Use SSO if it’s available
but most importantly: use a password manager.
To finish, less is more when it comes to software. I recommend a minimalistic approach to make it easier to manage security and keep track of your business's online footprint.
Look for products that will help you centralise and consolidate tasks into one system rather than spreading tasks from the same workflow across multiple logins. The bonus of doing this? It’ll be easier and faster for your team to achieve the same outcome, leaving more time for drilling and discovery!
If you're looking at new software for your small mining business, we've created a series of software buyer's guides for Drilling and Exploration Managers. Each guide includes a dedicated section with examples of questions to ask your software provider about their security options. Use them at your next software demo so you can make an informed decision about how your data is handled.
Download them for free now:
More from our blog
CorePlan is a cloud based operations platform that helps people in mining work better together.
Exploration teams at Mining Companies (and Exploration companies) use CorePlan's Exploration Hub to plan, run and manage their drill programs.
Drilling Contractors use CorePlan's Drilling Hub to capture data from the field, share the data with their clients (which happen to be exploration companies and mining companies) and then invoice them.
As a modern SaaS platform you are able to easily subscribe and get started in a matter of days.