OHS Professionals Urged to Step Up on Cybersecurity

The Safety Institute of Australia is warning that cybersecurity breaches have the potential to harm an organisation in a number of ways, and is urging OHS professionals to make sure they understand their role in preventing potential breaches.

Cybersecurity leader Ajoy Ghosh, who is also co-author of Standard Australia’s Information Security Risk Management Guidelines, said there were a number of potential cybersecurity incidents that would have implications for OHS professionals. These include:

• A software “glitch” causing an accident of an automated or autonomous system, such as a car or heavy machinery
• Hacking into a control system and causing a machine to have an accident or do something dangerous, such as overheating and catching on fire, or
• Cyberbullying and harassment in the workplace or of workers

Mr. Ghosh said that while they typically receive little media attention, Australia has previously experienced a number of cybersecurity breaches that have directly impacted workplace safety.

“One that did was Vitek Boden who in 2000 hacked into his former employer’s network causing raw sewage to spill and contaminate a large area, including the grounds of the Marriott Hotel.”

“Other not so well publicised examples include, in 2003, accidental changes to the software of a food manufacturer caused excessive iron to be added to a breakfast cereal.”

Mr. Ghosh also cited other examples, including a former IT worker who hacked into a mine site network in 2014 to copy some code and accidentally caused a drilling rig to suddenly turn, just missing a worker. And in 2016, a computer virus caused the building management system of a shopping centre to shut down, trapping an elderly person in a lift where they suffered a heart attack.

Cybersecurity has become increasingly important for companies and Boards, with cyber attacks featuring in the World Economic Forum’s Global Risk Report as both likely, and high impact.

In Australia, new mandatory breach notification legislation is now in effect, meaning entities are now required to report cyber breaches that could cause serious harm. This term encompasses harm that may be physical, psychological, emotional, financial, or reputational.

Mr. Ghosh said that mandatory reporting will now mean serious cybersecurity incidents and accidents will become well known and publicised in the media, and that boards and executives need to educate themselves about cybersecurity and maintain oversight of safety-critical systems.

“They can no longer rely on the ‘IT guy’ or the ‘engineer’ to fulfill their corporate obligation. Boards and executives are increasingly expecting that the harm caused by a cybersecurity event is also risk managed by OHS leaders who are responsible for risk managing harm across their organisation”.

“For many, is more than an expectation, it’s a requirement.”