CORPORATE RESPONSIBILITY REPORT 2016
Securing ONEOK’s technology and information assets is critical to our business operations and to maintaining our competitive advantage within the energy industry. In 2016, we continued to focus on measures that would enhance the confidentiality, integrity and availability of our data through safer user behavior.
In late 2015, we launched our secure internet-browsing initiative, which was designed to decrease exposure to internet-based cyberattacks. In the first phase of the initiative, we introduced the ONEOK Coffee Shop Network, a corporate wireless network dedicated to employee browsing, which resulted in successfully removing nonbusiness related internet traffic from company assets.
In February 2016, we implemented the second phase of this initiative, which involved the creation of a whitelist, or list of approved, business-related websites that could be accessed on the corporate network.
Whitelisting enhanced existing cybersecurity efforts by reducing the number of compromised websites accessed on the corporate network. Over several months, we worked with employees to identify and screen websites for potential security issues. Thousands of websites were submitted and only secure, business-related websites were added to the whitelist.
By implementing new controls to the corporate internet environment and by continuing to educate employees about cybersecurity risks, ONEOK successfully reduced the number of cybersecurity incidents by 77 percent compared with 2014.
These efforts were recognized nationally for both methodology and effectiveness. The secure-internet browsing initiative was featured by an external, independent technology-research firm as a best practice for people-centric security. The initiative also was awarded by the Tulsa Chapter of the International Association of Business Communicators for effectiveness in communication and successful employee engagement.
While we experienced great success in 2016, we will continue to evaluate new technology and process improvements that will further mitigate cyberrisk associated with user behavior and will combat outside threats.
Cybersecurity Incidents* at ONEOK
In 2016, ONEOK’s voluntary cybersecurity awareness program, SecuritySense, reached new heights in employee engagement.
The program, which utilizes monthly, online trainings to educate employees about security-related topics, achieved 90 percent employee participation in at least one training module, the largest percentage since the program’s inception in 2011.
This increase was attributable, in part, to refreshed content produced in-house for the monthly training courses instead of the generic content used previously. This new approach allowed us to develop trainings based on current security issues and gave us the flexibility to use SecuritySense as a platform for communicating important company programs like the secure-internet browsing initiative.
By the end of 2016, employees completed approximately 27,386 courses, accounting for more than 2,040 hours of training.
SecuritySense is an important tool for engaging employees in our information security efforts, and we will continue to evaluate and implement new methods for outreach across our operating footprint.
Security Sense by the numbers
Access to critical systems in times of disaster is integral to our company’s commitment to operate safely, reliably and in an environmentally responsible manner. The responsibility for maintaining this continuity falls to many departments within ONEOK, including Business Continuity, Disaster Recovery, Information Technology, Information Security, Corporate Services and ESH.
In 2016, these teams continued to work in tandem to adapt and streamline response plans that considered both traditional and emerging types of disasters.
These efforts included revising the Crisis Management Plan to provide guidelines on actions and decisions during a crisis and a mechanism for activating other response and recovery teams. The new Crisis Management Guideline was released in fall 2016.
ONEOK regularly conducts business continuity training exercises and disaster recovery tests to validate appropriate strategies for, and timely response to, a variety of crises. In 2016, some of these tests included recovery of information technology infrastructure and validation of critical business applications and pipeline-control systems. These exercises and tests provide opportunities to hone skills, increase readiness and improve response-plan effectiveness.
We will continue to evaluate all types of disasters, natural and manmade, as well as share best practices with companies in different industries to ensure our response plans are current and comprehensive.