Highlighting the sheer size of the world of data that oilers are being encouraged to take part, KPMG associate director and technology risk advisor Mourad Khalil told DNV GL's breakfast on digitisation in oil and gas that, as an example, 120 new LinkedIn accounts created every 60 seconds, with 3.5 million Google search queries in that time.

 

While warning oil executives they will be "left behind" if they don't adapt to the inevitable change, there was a right way and a wrong way of doing that.

 

"If you don't bring it down to basics, you can get wrapped up in the hype of all these things," he said. 

 

"You're not technical; you don't need to understand it. All you need to do is get someone to explain the risks to your organisation and address them as required.

 

"You don't have to be 100% secure. You're never going to get there. Working out what is important to your organisation according to your risk profile - that is what's important."

 

KPMG has been heavily involved in digitisation in the energy sector, launching two phases of its Energise program, which gave technology start-ups leg-ups to work with major operators such as Woodside Petroleum, Chevron Corporation and Origin Energy among others.

 

Khalil also urged oil executives not to buy into the oft-stated myth that investing in best-of-class technical tools will make them safe, citing examples of people in companies who had spent big on products that weren't even used as people had not been trained on them.

 

While effective monitoring was important, it was just one key area, not the be-all and end-all of data security.

 

"Monitoring is key, but if you don't do anything with the data all you're doing is building up storage. You have to be doing something with it to get something out of it," he said.

 

He also warned against the fallacy of hiring an "IT guru" thinking that will solve all problems.

 

"You can hire the best IT professional in the world but it's not about an individual, it's about the culture of the organisation," Khalil said.

 

"If the board don't believe its [cyber threat] is happening then this individual, no matter you much you pay them, won't get you any traction in effecting any change in securing your environments."

 

Research in the third edition of KPMG's Technology Risk Radar report revealed that a little over half of the more than 700 surveyed IT incidents in the corporate world were security related, with the biggest percentage, 26.2%, was data being stolen or compromised intentionally.

 

The next biggest percentage, 22.8%, was infrastructure being misused or abused, with 20.7% attributed to an IT service or system not being available when required.

 

It's not always intentional, however. 

 

Mourad said confidential data was often released by someone emailing something to an external source as part of daily business without knowing how sensitive it was.

 

Yet nearly half of IT incidents in the energy and resources sector were caused primarily by specific attacks such as hacking and malware.

 

KPMG's report on IT security in the ENR sector also revealed the top risk as poor risk management alignment across the organisation and processes, followed by dependence on inflexible and under-supported legacy systems; and poor cyber security, cybercrime and unauthorised access.

 

Lack of an actual IT strategy and lack of board representation was also high on the list, as was failure to deliver programs and build in controls, reliance and security.

 

Khalil said the most important thing for ENR companies to consider was the risk of data loss and theft, particularly with respect to their most valuable assets.

 

"For oil and gas companies, this translates to engineering specifications, reserves and reservoir data, technical solutions and processes for extraction, manufacturing and distribution," he said.

 

"If you don't think about it when you're designing, it will catch you out."