Upholding the Principle of Cyber-Awareness
By Gabor L. Varjas, Group Chief Information Security Officer, MOL Group
MOL Group is an integrated, international oil and gas company, headquartered in Budapest, Hungary.
It is active in over 30 countries with a dynamic international workforce of 25,000 people and a track record of more than 100 years in the industry. MOL Group has operations from exploration and production through refinement to wholesale and retail as well as mobility, and the potential cyber security threat applies equally from office IT systems through to Industrial Cyber Security.
MOL Group is following the most efficient way of managing cyber security threats which is the risk-based approach and security by design: instead of looking at defending against the most sophisticated cyberattacks, start with simple cyber hygiene. We are also building MOL Group internal threat Intel cooperation network among MOL Group members. Group Information Security has a Cyber Risk and Compliance team to conduct cyber risk assessments and maintain a risk register. Based on the risk assessment our Architecture, Design and Assurance team provides preventive measures. The identification of a malicious code or a malicious actor, and the protection of systems rely on the cyber security infrastructures deployed by our company. However, risk-based approach means we don’t want to spend more than we really need, and there are certain areas where we build reasonable security measures. It also means we need to handle residual risk and manage cyber security incidents which inevitably happen, so we have established a Cyber Defense Center with highly trained security experts who focus on cyber security incident, detection and response. Based on what we have learned from the management of previous cyber security incidents we take action to avoid the same type of incidents occurring again. Also, we constantly adapt and fine tune our internal controls to strengthen the defense lines to protect our internal businesses.
"Instead of looking at defending against the most sophisticated cyberattacks, start with simple cyber hygiene"
As everyone knows cyber-attacks can originate from various sources. Increasingly sophisticated malicious emails are a constant and growing and the threats with email content now being cleverly disguised to represent a conventional email. Though there are more and more tools such as mail gateway, anti-virus etc., to detect malicious emails, and still we can say currently the machine intelligence is not as effective as human intelligence. To expand our cyber visibility, we are involving all our MOL GROUP users into malicious email detection, so we have developed an Outlook add-in called ‘Suspicious email’ button. This add-on is deployed to all computers, and when a user suspects a malicious email they click on the button. The suspicious email is forwarded to Cyber Defense Center where the content, including all links and attachments, are carefully analyzed. We do receive hundreds of suspicious emails every week, most are spam and phishing however, and we do find multiple malware related emails.
There has been lot of talk concerning ransomware recently and these threats represent a real danger to companies. Of course, ransomware can enter the network via email or network traffic when a user visits a malicious or compromised website but also from ostensibly innocent devices such as USB memory sticks and external hard drives. It can pose an even higher risk in ICS environments unless these devices are physically prevented from being connected to the system thereby reducing the risk.
We do invest significant effort by improving our users’ cyber security awareness. Generating awareness of the danger that cyber threats represent is a cornerstone of our cyber security policy. The importance of training cannot be overemphasized. This begins from the moment a new employee joins MOL Group. Each new colleague, as part of their induction, is educated about cyber security risks and the importance of the cyber compliance. This training continues as we regularly have Cyber Security Awareness Week and other special one-day Cyber Security events such as Security Santa. During this time there are additional training sessions, seminars and quizzes that help our employees increase their awareness of potential cyber security threats both at business and at home. Employees can attend these sessions and seminars in-person or online.
Group InfoSec encourage ways of working, as H. S. Truman famously said: “It is amazing what you can accomplish if you do not care who gets the credit.”