BP locking down personal devices in the face of cyber warfare

Outgoing CIO Dana Deasy said the threat from cyber is "incredibly real"

Oil giant BP is currently having a "big internal debate" about how it can lock down personal computers without losing out on flexibility for employees, as a direct result of the increasing threat of cyber attacks.

Outgoing CIO Dana Deasy was speaking at Gartner's Symposium in Barcelona this week where he said that 40 percent of worldwide cyber attacks are in the energy sector and that the threat has "quietly been getting worse and worse".

"Talk about reinventing yourself in real time - you're moving from a world where you want to keep the bad guys out, to a reality of what happens if they do get in and what's the game plan?" said Deasy.

"You almost have to set your organisation to think about dealing with the art of warfare, because you are dealing in a different world with a different sort of adversary."

He explained that the threat to BP is "incredibly real" and that it is coming from both organised crime networks, as well as state sponsored attacks. However, it is the latter of the two that is real cause for concern.

"[State sponsored attacks] are the ones that we are most concerned about, because the nature of them is that they aren't necessarily about causing you harm today, or even tomorrow, but some day in the future. Or they don't even want you to know that they are there," said Deasy.

"You are dealing with an adversary that is incredibly well organised, incredibly sophisticated - tens of thousands of them - and you may not always understand what they are after."

Deasy insisted that although this hasn't changed BP's 'big thinking' or stifled its innovation, it has sparked an internal debate around how it can lock down personal devices and restrict what employees do on them.

"We are having no choice but to lock down and make more restrictive what people can do with the personal computer, which is kind of ironic when you think about that term when it was created - the idea that it was personal," he said.

"By locking it down you obviously take away flexibility. So it's about getting this incredibly difficult balance right between flexibility and freedom, of allowing people to do their jobs and protecting the firm. It's something we have to work with every day."

Finally, Deasy said that in his time at BP the focus on cyber and risk management has got increasingly intense, where he now spends up to 20 percent of his working week assessing the potential outcome of a serious crisis.

"If you had asked me six years ago about the time I would have spent worrying about risk and crisis management - I would have said it was the annual desktop exercises, the quarterly risk reviews, and maybe a little challenge with your team," he said.

"Today risk is becoming a greater part of your weekly agenda, I would say today I probably spend 20 percent of my time dealing in some form of risk - either in government discussions, board discussions, senior executive discussions, or team discussions, just working through what crisis management would look like, what would disaster recovery look like, and how the world of that unknown would play out."

Deasy recently announced his departure from BP and is set to join JP Morgan as CIO. He is to be replaced by Mike Gibbs, who is currently CIO and VP of BP's refining and marketing business.

Tags: BP, Gartner, security, CIO

JP Morgan to invest £150 million on boosting cyber security

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Webroot Web Security

Proactive web security that blocks threats in the cloud before they reach users’ machines, or enter customers’ networks.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.