Cyber security tips for small and Junior mining businesses [easy + free!]
If you’re a Drilling or Exploration Manager at a small or Junior mining company and looking to take your business to the next level, you might be looking at executing a digital transformation.
As the mining industry embraces tech, more and more Drilling and Exploration Managers send spreadsheets packing by digitising their operations.
But, something we’ve noticed here at CorePlan is that there is an extra layer of uncertainty for smaller companies that are just starting to go digital. They’re worried about keeping their businesses secure online, but they don’t know where to begin, and they don’t have the budget to hire an IT manager to guide them.
The good news? There is a huge scope to improve your digital security by setting aside just a few minutes to implement a few easy (and free) preventative measures.
In this blog, I’ll recommend some basic cyber security measures all small mining companies should take to protect their businesses and share some free downloadable resources to help you on your way:
- First, we’ll start by looking at your devices and four quick steps you can take to optimise their inbuilt security settings.
- Then, we'll take a deeper look at your software, including the number one piece of software that every mining business needs (and before you exit the blog, no, it’s not CorePlan!).
- Finally, we’ll finish with some bonus tips for staying safe over email and message services.
I’ll also share two free downloadable resources to guide you along your way (or you can skip to the downloads now if you’d prefer!):
- Free Device Asset Register for Small and Junior Mining Companies
- Free + Printable Cyber Security Checklist (summarises this article)
By the time you've finished reading, you'll be well on your way to securing your business' digital assets and ready to get started on your digital transformation journey!
But first, why should Drilling and Exploration Managers care about cyber security? You’re a small business - surely cyber criminals are more interested in gaining access to companies with billion-dollar profits?
The reality is, unfortunately, the opposite. Cyber criminals consider small businesses as low-hanging fruit; targets that are faster and easier to crack compared to large companies with multiple layers of security in place.
The good news: even taking a handful of small steps can help reduce your likelihood of being targeted.
So, if you’re ready to get started, let’s jump straight in!
Device level security: Laying your foundation for success
What do you think of when you think about cyber security? It might make you think about a dark room with a pimply teenage hacker typing code into a system dialogue box to steal your credit card number or track your every move over the internet.
But, the reality is that cyber security starts long before you accidentally open a suspicious file or click on a dodgy link. It starts with your device settings.
Correctly configuring your device settings is an easy and free way to protect yourself from a cyber attack from the get-go. Ideally, this should be the first thing you do when you purchase a device. But, even if you’re using an established device, it’s never too late to get started by following these four simple steps that I’ll take you through in a moment.
Before we do that, let’s start from the beginning and lay your foundation for success.
The starting block: Know what you’re working with
If you were thinking of baking a cake, you’d probably read a recipe first and gather the ingredients before trying to make it. Remembering that you forgot to add the sugar after the cake is already in the oven would be pretty annoying, right?
Cyber security is kind of the same!
If your staff use devices for work, you need to have a record of them (if you haven’t already).
A Device Asset Register record helps you keep track of your company’s tech assets and histories. This way, you can be confident that your devices are protected in the same way. It can help you answer business questions like:
- How old are our devices? Is it time to upgrade them?
- Who is using what device? What needs to be returned if a staff member resigns?
- What devices do we need to provide for a new team member?
- How many software license keys do we need to purchase for our team?
- Have all of our devices had our antivirus package installed?
- Is that damaged or faulty device still under warranty?
- What was the serial number of a lost/stolen device so we can wipe it remotely?
Centralising this information makes it a more straightforward process if you need to take action in the future (such as rolling out the tips in this blog). You could even use it as a checklist to ensure each tip is rolled out across every device your company owns.
But, if you don’t already have one - save yourself some time and download this one for free right now! Choose from Microsoft Excel or Google Sheets as best suits your business.
Once you’ve built a record of all of your devices, let's get them set up correctly so that they’re ready for your team to hit the ground running!
Step one: set up your user accounts correctly
If you’re giving your staff laptops, an easy way to make sure their accounts remain secure from the beginning is to set them up as a standard user account, not an admin account (which is the default setting on every new device).
Why should you do this?
Standard user accounts have additional built-in security features that reduce the threat of being hacked without any extra work on your part. It won’t affect how your team use their devices at work however, it will protect your business from issues such as:
- accidental download and installation of malware
- unintentional deletion of files that are needed for the comp uter to run
- restoring the computer to its original condition if the staff member leaves.
It’s really easy to set up a staff member as a standard user.
On a Mac, simply create a new standard account under ‘Users’ in System Preferences.
You can create a local user account on Windows under Settings > Accounts > Family and other users (or follow Microsoft’s instructional guide).
But hold on! Even though you’ve got your accounts ready to roll, there are still three more things you can do to make sure you’re all set up before handing over that device.
Step two: automate file backups
What could be worse than losing weeks of assay or plod data days from invoicing? Not much, other than knowing that the data loss could have been avoided in the first place!
Backing up your system is a great way to protect yourself against system crashes, loss or theft of a device or even ransomware attacks.
How often you need to back up your device depends on business to business, but daily is your best bet as a small drilling business or Junior explorer.
The best way to ensure your files are backed up is to automate the process. There are a few ways to do this, but a cloud-based backup storage option is the easiest. This type of backup doesn't require secure storage like an external hard disk. It's also scalable as your business grows and collects more data.
There are loads to choose from online, but before you get the credit card out, here’s a tip: if you’re already using Microsoft 365, you can use OneDrive for free as part of your subscription. Just keep all of your documents stored in your OneDrive folder and work from this folder (rather than your documents folder), and it’ll automatically keep your files updated for you. Simply right-click the folder and click “Always keep on this device” to continue using your files offline, in the field, without internet access!
Step three: encrypt your hard drive
Encryption is a way of protecting your data by turning it into a code that can only be read by a device with the key to unlock that code. This protects you in case of issues like your device being stolen or someone attempting an opportunistic file grab using an external thumb drive or similar.
Encryption sounds serious, but it’s actually relatively straightforward for you as a user. It doesn’t affect your experience with your device but protects the contents of your hard drive in case it becomes lost or stolen.
Encrypting your hard drive is easy and free, but it is something you need to manually opt in to from within your computer settings. On Windows, the encryption setting is called BitLocker, and on Mac it’s called FileVault.
All you need to do to turn it on is to navigate to your system settings and follow the prompts, and within a few minutes, your hard drive will be fully encrypted. Easy.
There is one important extra detail here: make sure to memorise your password - and make it sufficiently difficult, otherwise, you'll be locked out of your files for good! Don't forget to make the password strong, otherwise, you'll still be at risk of someone breaking in to your device, rendering the encryption useless. I recommend using a password manager if you're prone to forgetting your password (more on that later).
Step four: keep your operating system up to date by turning on auto-update
Operating System providers (eg Microsoft. Apple) are constantly monitoring and testing their systems to make sure they are as secure as possible for their customers.
Even the best systems have security flaws, but this regular testing is what picks them up. When weaknesses are discovered, an update is issued and then pushed to all operating system customers to make sure that their systems are protected against the latest vulnerabilities.
Even though the frequency of the updates can be annoying, it is best to accept them to protect your system in the long run. The easiest way to avoid putting it off is just to turn on auto-update and remove the temptation of dismissing it - use it as an excuse to make yourself a coffee or enjoy some fresh air for 5 minutes.
It’s also possible to schedule updates for night time or outside of your work hours within your system settings to avoid disruptions to your day.
The number one piece of software that every mining company needs to have
Ok, so now that we’ve got your devices covered, let’s kick things up a notch and take a deeper dive into your software, including the number one piece of software that every exploration and drilling company needs to have. We'll also look at some basic settings to turn on within your software products to make sure your accounts have the maximum level of security at no extra cost.
So what is the number one piece of software that every small mining company needs?
It’s something you must consider first, above anything else I'll discuss in this blog.
Without doing this one thing, the rest of these tips won’t have anywhere near as strong an impact on your cyber security efforts.
I’m talking of course, about a password manager.
Your passwords are your greatest defence against cyber criminals, but they can also be your greatest weakness.
How many times have you used the same password on multiple accounts or used personal information like names or birthdays that anyone could find with a simple google search or visit to your social media profile?
We’ve all been guilty of this at some point, and it’s understandable - it’s hard to come up with a new password every time you need one, let alone remember it later on.
(If you’re wondering just how easy it can be for cyber criminals to crack your password, check out passwordmonster.com.)
A password manager can remove these challenges by helping you generate ultra-secure and complex passwords in seconds and saving them for you in an encrypted vault. The best thing about them is that you only have to remember one decent, strong password. It also helps you to securely share passwords within your team to remove the risks of sharing them over email or messaging services.
I recommend looking at a password manager before anything else because, after implementing it, you’ll have a more secure foundation for any other software you use to run your business.
I know what you might be thinking: “but aren’t I just sharing all my really strong passwords with the password manager?”
Not if you use a good, well-known and trusted password manager! Instead of storing your passwords on their servers, they are actually stored locally on the device the password manager is stored on. This means that even if your password manager provider is hacked, your passwords will remain safe (assuming you've encrypted your hard drive or all the files associated with your password manager on your device).
Because the passwords generated by password managers are extremely difficult to crack (with the right settings enabled), your sensitive business data that is stored in each platform becomes more secure. Plus, if one of your systems were to be compromised, your other systems are more likely to remain untouched.
If you’re in the market for a password manager, I’d be happy to recommend some options for you - use the chat bubble to send us a message.
So, now that I’ve hopefully convinced you to start using a password manager and you’ve created secure new passwords for your logins, let’s take a look at how you can configure your existing software accounts for maximum security.
Enable user roles and permissions
Modern software platforms designed for business often provide you with options to assign users to different levels of security clearance or access permissions on their platforms.
The user access or permission level typically equals the level of responsibility a user has in the business. As an Exploration or Drilling Manager at a small mining company, you would typically have the highest level of clearance.
User roles can help make sure that sensitive information like costs or employee details can only be accessed by those who need to access it.
Permission-based roles can help to enforce approval processes by only allowing a certain user level to sign off on work or data (eg approving plods).
It can also protect you in the case of staff turnover, disgruntled employees or user accounts being compromised, as only the master account (likely your account) has access to everything, and you’ll know that it’s secure as you’ve set it up with your password manager.
So, if you haven’t already - make sure to delegate roles and permissions!
Review your authentication options
If it’s an option, I’d always recommend turning on multi-factor authentication or two-factor authentication.
Authentication measures offer an additional layer of security when logging in to a software platform or website. There are three types of authentication:
- knowledge (eg a password or security question)
- possession (eg a security key, text message code or google authentication code), and,
- inherence (eg TouchID or voice ID), otherwise known as “something you know”, “something you have” or “something you are”.
Two-factor authentication requires two types of authentication at login, and multi-factor requires two or more types. This gives you another layer of protection because cyber criminals need to acquire your password plus additional information or access locked to a device, making it much more difficult to gain access.
If your password was stolen but you had multi-factor authentication turned on so an additional text message code was required, a cyber criminal would also have to have access to your phone and your phone’s passcode to gain access (or your actual phone number - see simjacking - but that’s a tale for another time!). All of a sudden it’s much harder to gain access, and if you’re a cyber criminal looking for an easy target, you’d probably just move on to your next victim.
Regardless of what options are available on a software platform, your password is still your first line of defence, so make sure you have that password manager in order!
Use Single Sign On (SSO) where you can
SSO is a convenient way to save time logging in to software by using an existing credential while maintaining password integrity and reducing the likelihood of staff using repeat passwords.
Large, enterprise-level companies usually have their own SSO services. But, if you’re a small mining company, you can still access the benefits for free in some cases. You can do this by using your Google Workspace or Microsoft 365 login to sign in to a range of free and paid Software as a Service (SaaS) products online.
An example of SSO (canva.com)
There is a caveat here: it’s best not to use your social network login for a work-related software login. Using SSO credentials with your work email address is best practice when using SaaS for work-related purposes.
So, next time you sign up for a SaaS product for business, make use of this option if it's available to stay secure whilst also saving yourself some time and effort.
Keep on top of all of these tips with a free downloadable checklist
I've covered so much already - well done if you've made it this far into the blog. Feeling overwhelmed? Don't be - we made this free checklist to guide you through everything we've touched on in this article.
Download it for free now!
Now that we've covered the major device and software tips, let's finish off with a few bonus tips to round off all of the learnings from this blog.
Bonus tip one: Staying safe over email and messages
Ever accidentally sent an email or a message to the wrong person? Most of us have done it at least once. Hopefully, whatever was sent wasn’t confidential, but what if it was?
If you’re sharing sensitive information with clients or contractors, a good rule of thumb is to write out the body text of your email first and then enter the recipient’s email address at the end.
If you can, turning on email retraction will also give you a few seconds buffer if you realise you accidentally sent it to the wrong person. This gives you a final chance to stop the send before it reaches their inbox.
It’s also good practice to be diligent with your incoming emails. Phishing is a type of attack that cyber criminals use to gain access to your personal information or device. This could look like an email from someone in your business or a client’s business containing a file that’s labelled as an invoice for approval, but it’s actually malware that infects your computer if you open the file.
Or, it could be a cyber criminal posing as your Managing Director or CEO, asking you to take a specific action or share details, with the intent of stealing from you or your business.
Here’s an example of a phishing email we received recently where the sender posed as our CEO, Alex:
But, if you look closely at the email address and not the sender name, it’s definitely not from Alex!
These seem really obvious, but if you’re in a rush or feeling tired it can be easy to accidentally miss details and fall victim to these traps.
The best way to avoid these types of scams is to make sure your spam filter is on. Then, check the email address like in the example to make sure that the email address matches that person’s regular address. Be careful of any close matches eg “alex.”, “alex_” or “a1ex”.
What about email attachments and links?
Cyber security rule number one: never open an attachment, file or link that seems suspicious or was sent unsolicited - even if you know the sender.
If in doubt about a message or email, the best advice I can give you is to just pick up the phone and give them a call to verify the details or the attachment. It’ll take a minute or two, but it could save you a lot of time and money by avoiding having to try to recover from a cyber attack or penetration.
But, what if you accidentally download a file or click on a suspicious link?
First of all, don't panic.
For immediate peace of mind, check out virustotal - it’s a free web tool that will analyse a file or URL for malware for you. Simply upload the file (don't open it!) or paste the URL into the site, and you’ll get a detailed analysis of the file along with any safety warnings about the contents inside.
Note: it will only be able to identify known malware strains!
If you're still unsure or are experiencing issues, the Australian Cyber Security Hotline is available 24/7 to help guide you through the situation. They also have a great interactive guide that explains what to do for a range of situations if you're in a pinch.
My final piece of advice on this topic - never share a password over email or another messaging service. Whilst your device might be secure, you never know what’s happening on the recipient’s device. It’s best to add a shared password into your shared business vault on your password manager for secure sharing of passwords, credit card numbers etc.
Bonus tip two: Keep your software stack manageable
Your software stack is the set of digital tools you use to run your business.
Software is an amazing and powerful business tool, but is there such a thing as too much software in your stack?
As it turns out, yes there is!
Having too many accounts and products increases the number of potential access points to cyber criminals, but it also spreads your team thin and requires more maintenance.
Some mining businesses might choose to use a large number of apps or software services to try and reduce their total software spend, but there is a hidden cost in taking this approach: your staff’s time and attention being diverted from the client or the geology.
Think about it - if your team are constantly having to switch between different accounts to complete repetitive tasks, manually move data across multiple systems to complete simple workflows or remember which program they uploaded a specific data file to, that’s all time that could have been spent increasing efficiency or locating the next ore body.
Whilst it might not seem like much time in the moment, over the course of days, weeks and months - across your entire team - it starts to add up fast.
The more complex the workflow, the more likely people won’t follow through on using it correctly because it’s just not realistic within their work day. The end result? Compromised data and dissatisfied staff.
Instead, I recommend looking at software that will help you to streamline and consolidate as many aspects of your workflow as possible into the one program. This way it’s easier for your team to stay on the same page, and reduces the number of entry points cyber criminals can exploit to access your data.
PS: by using a password manager, you’ll have an automatic record of all of the accounts you’ve created and be better placed to run a software audit in the future.
The main takeaway from this blog is that you don’t need a massive budget or IT department to take concrete steps toward improving your small mining company’s cyber security. Investing even just a few minutes of your time can go a long way toward preventing a cyber attack.
I suggested a practical approach to cyber security for small drilling and exploration companies, starting by securing your devices and then progressing to your software. Then we explored some general tips, including using email and messaging services safely, as well as keeping your tech stack manageable by choosing products that will centralise and consolidate multiple tasks into one place.
So, if you’re wanting to take action now, get started by setting up a device register (or save yourself some time by downloading this one here for free). Then, come back and follow the tips in this blog - or use this free checklist - to make sure all of your devices and accounts are configured for maximum security.
If you're interested in finding out more about cyber security, the Australian Cyber Security Centre has some great resources worth a read.
You’re well on your way to a successful digital transformation! If you’d like to keep reading about managing your mining company’s digital transformation the right way, you might find these articles helpful: