Technology is a critical link in connecting ONEOK’s physical and information assets and promotes our ability to operate reliably. Maintaining the security of our technology systems and information assets is paramount, which is why ONEOK works continuously to reduce exposure to cyberrisk through employee-focused awareness programs and process and technology improvements.
Our information security efforts are guided by an executive advisory committee composed of company officers from various business segments who meet regularly to evaluate ongoing cybersecurity threats, define policy, set strategy and prioritize initiatives. The board of directors also receives regular updates on the company’s cybersecurity efforts.
Secure Internet-Browsing Initiative
In 2017, ONEOK completed the secure internet-browsing initiative and realized the full impact of these efforts with a 94 percent reduction in cybersecurity incidents since 2015. The initiative launched in early 2015 with a goal to decrease exposure to internet-based cyberattacks through the:
- Addition of an alternative wireless network dedicated to employee browsing.
- Creation of a whitelist, or list of approved, business-related websites that could be accessed on the corporate network.
- Addition of always-on VPN, which requires that employees always log in to the corporate network before accessing company systems.
Following our success in reducing risk through information security initiatives, we now are pursuing more aggressively the security of our industrial control systems (ICS) through training, processes and technology aimed at improving standardization and our ability to respond to threats.
In 2017, we developed new required ICS security training for employees operating and monitoring these systems. The training includes information about specific threat indicators in the ICS environment, as well as appropriate response channels and best practices for identifying and responding to threats.
ONEOK also deployed additional technology resources aimed at reducing the risk to our control system. Targeted cybersecurity awareness, similar to the efforts deployed for ICS, will continue to be an area of focus for ONEOK.
Our voluntary cybersecurity awareness program, SecuritySense, continued to reach high levels of engagement in 2017, with 87 percent of employees completing at least one training.
The program, which launched in 2011, utilizes monthly, online trainings to educate employees about security-related topics. In 2017, employees completed 24,355 courses, equating to more than 2,050 hours of training.
SecuritySense is an important tool for engaging employees in our information security efforts, and the program’s success is being recognized both inside and outside of the technology industry. The 2016 SecuritySense campaign was awarded both by the Tulsa
chapter and the Southern Region of the International Association of Business Communicators for its success in communications and employee engagement.
This effort was also recognized internationally by the International Association of Business Communicators for effectiveness in communication and successful employee engagement.
Securing the physical sites where our employees work and our assets reside is a key component of our security strategy. In 2017, we continued to implement our enterprise physical-security standard in field locations. This includes, but is not limited to, standardized access control and video surveillance systems, and unified ID badge technology.
To date, more than 70 percent of employees are covered by the physical-security standard, and we anticipate continuing to implement improvements over the next few years.
Leadership oversight and access to critical systems in times of crisis or disaster are integral to our company’s commitment to operate safely, reliably and in an environmentally sustainable manner.
ONEOK routinely conducts crisis management and business continuity exercises. In 2017, the objectives for these exercises included an increase in:
- Familiarity with crisis management and business continuity plans.
- Awareness of business continuity as part of crisis management.
- Familiarity with our alternate-site work location through physical site tours.
- Awareness of technology to increase accountability and management of plan improvements.
The exercises were designed to validate response strategies and test the company’s new mass notification system. We also validated the suitability of our alternate-site work location and had industry experts analyze our response through feedback and recommendations post-exercise.