Many health and safety experts now consider cybersecurity to be a growing issue in the sector. While you might think of the two issues as completely separate, it is becoming clearer that they overlap in a number of ways.
There are different types of damage that cyber risk can cause. There is informational risk, where important data can be lost. Just as troublesome is operational risk, where cybercrime can damage the running of a business. Additionally, concepts like reputational and financial risk arise from the others but are separate in themselves.
However, there is another type of challenge: physical risk. This can occur from unexpected physical damage or events caused by cyberattacks.
It is not always the intention of the hack to cause physical damage. Yes, there are instances of industrial sabotage, where the hackers’ motivation is to cause problems for large businesses, but this is not always the reason that physical damage occurs. Quite often it is an unforeseen consequence on the part of the hacker as they were actually only looking to gain access to the system.
Cybercrime can create physical problems
One of the worst examples of a physical risk that came about due to a cyber-attack actually occurred back in 2014. A German steel mill had its system hacked by cybercriminals, and the team was unable to access parts of the infrastructure that allowed aspects of the mill to be shut down.
This led to a situation where a blast furnace could not be shut off in the normal way. Subsequently, the furnace overheated and this caused catastrophic damage. Fortunately, the situation was eventually contained.
Any time that a company controls potentially dangerous machinery or equipment using a computer system, it is a health and safety issue that relates to cybercrime.
More recently, a hacker in Florida gained access to a city’s water supply and tried to pump in a ‘dangerous’ amount of chemicals. The incident happened in the city of Oldsmar, with the hacker briefly increasing the amount of sodium hydroxide (lye) in the water treatment system, before it was spotted and reversed by a worker.
Operational disruption can cause health and safety issues too
We spoke above about the different types of risk to a business – one of these was operational risk. On the surface, operational problems would not appear to be a health and safety issue, but of course, this depends entirely on the kind of work a business is carrying out.
For example, it might be the case that a company is using electronic equipment during electrical maintenance at physical premises. If hackers were able to bring down a company’s system at a crucial moment this could lead to critical buildings being left without power.
On a different note, it may be that a company’s system continuously monitors employees. This could be a control measure to ensure that lone workers are safe. If these measures are no longer in place due to a malfunctioning system, these workers could be put at risk.
Indirect health and safety issues
It is the case that cybercrime can create a number of indirect health and safety issues, especially when we consider another type of risk mentioned above: informational risk. Here we see the potential for hackers to get access to the personal details of employees including contact details, health and financial information.
Knowing that this has taken place can cause a great deal of anxiety and fear for members of staff – and of course, health and safety planning needs to take care of mental health as well as physical health.
The importance of preventing cybercrime
What we can see from these cybersecurity issues is that physical challenges that result in health and safety issues are often preventable. Good health and safety planning should take into account the potential issues that can arise, should a business suffer anything from a data breach to a full-on takeover of the system.
Prevention is always better than cure, and it can be smart to work with cybersecurity professionals to put powerful defences into your system.
The measures you can put in place
There are many types of preventive measures that a health and safety team can take in conjunction with the IT department. For example, assessing defences regularly with the help of penetration testing is important. As is putting simple but effective measures in place such as stronger passwords and multi-factor authentication.
“As a penetration tester, a major issue that I see regularly is a failure by organisations to enforce multi-factor authentication across systems and applications,” says Jed Kafetz, Head of Penetration Testing at Redscan.
“Multi-factor authentication provides an important secondary layer of defence in the event of a password being stolen and is especially important given people’s tendency to reuse passwords across accounts. If adopted more widely, I can confidently say that there would be far fewer security breaches.”
The Safety Conversation with SHP (previously the Safety and Health Podcast) aims to bring you the latest news, insights and legislation updates in the form of interviews, discussions and panel debates from leading figures within the profession.
Find us on Apple Podcasts, Spotify and Google Podcasts, subscribe and join the conversation today!
