We've been asked to complete a principal contractor's security questionnaire. Can you help?

Yes. We've done enough of them for mining services firms to know which questions are load-bearing. Typically the asks are MFA, EDR, patching, backups, offboarding, incident response, and cyber insurance. We answer with evidence, and where the answer is 'not yet,' we give you a remediation plan with dates the principal will accept.

Our field laptops go between remote sites, home, and the office. How do we keep them safe?

Treat the laptop as hostile to any network it's on, not trusted because it's behind an office firewall. Full-disk encryption, identity-based access to cloud platforms, EDR with an always-on posture, and no shared logins. Site-specific policies apply at the platform level, not by physical network. We set this up once and it scales as the fleet grows.

We run drone and LIDAR survey work. The data is enormous. Where should it live?

Depends on the principal's contractual restrictions and who your customers are. We'll help you pick a storage pattern that meets the data sovereignty requirements in your contracts, stays affordable as the raw-data library grows, and integrates with the analysis tools your team actually uses. We don't sell the storage, so we'll tell you which product is the best fit for your setup, not whichever one pays us the most.

Do you cover 24/7 incident response? Our operations run around the clock.

For CCP clients on Managed IT Complete, critical incident response is handled by our Australia-based team with defined SLAs for after-hours. We're not a 24/7 SOC, and if that's what you need we'll say so and help you pick one. For most mining services firms, the combination of an always-on monitoring stack, a defined IR playbook, and a responsive Australia-based team is the right fit. The outlier cases we'll flag upfront.

Mining services firms work with overseas principals and offshore contractors. Does that create issues?

It creates work, not issues. Cross-border data flow, export control on geospatial data in some jurisdictions, identity federation with overseas tenants, vendor risk assessments for offshore subcontractors. We've set this up for firms that operate across Australia, South-East Asia and Africa. It's detail work that benefits from being done properly once rather than patched later.

Industry · Mining services

IT and cybersecurity for the firms that serve the mines.

Drone surveyors, engineering consultancies, geotech specialists, environmental and safety auditors. The 20 to 250-person firms that do the work the majors actually depend on, with the security questionnaires to match. Based in Welshpool WA, working with mining services firms across Australia.

What's actually different in mining services

Mining services is its own IT environment.

Mining services firms sit between a principal contractor that runs like a fortress and a field environment that changes every week. Site networks are somebody else's. Data is high-value and often contractually restricted. The security questionnaire that decides whether you keep the work is written by someone who's never seen your laptop.

We've spent years getting the plumbing right for firms in this space: managed connectivity that survives a bad day on site, identity and endpoint controls that meet principal contractor asks without making your people hate their laptops, backup and recovery that covers the geospatial and operational data properly, and incident response that starts with a known contact rather than a panicked Google search at 9 PM.

We don't work with mining companies themselves. The procurement rhythm and panel requirements aren't a good fit for the way we work. We work with the firms that serve them, where our 20 to 250-staff sweet spot lines up with the real operating shape of the business.

Live right now · mining services

The 2026 pressure points we're actively working on with clients.

The specific asks, deadlines and enforcement actions shaping 2026 conversations in your sector.

Mining prime-contractor security packs, pushed down the chain

The major miners (BHP, Rio, FMG, Roy Hill and the rest) now run full vendor security assessments before onboarding contractors to their sites and platforms. The pack arrives as a PDF or a questionnaire in a procurement portal. MFA, EDR, patching cadence, Essential Eight maturity, cyber insurance, incident response plan, backup testing. Answer it badly and you're off the prequal list; answer it dishonestly and it surfaces after an incident.

Site connectivity that can't afford to drop

Drone surveying, geospatial analysis, automated drilling, environmental telemetry. All dependent on a link between a remote site and head office or a cloud platform. The old pattern of a single 4G dongle taped to a Pelican case is expensive when it fails. Managed LTE/5G with sensible failover and a router on the right SLA is what's underneath the data pipeline everyone talks about.

Mandatory ransomware payment reporting, 72 hours

Under the Cyber Security Act, firms with turnover above $3M must report ransomware payments to ASD within 72 hours (commenced 30 May 2025). Most mid-size mining services firms sit above that threshold. The legal clock starts when payment is made, so the incident-response playbook has to know the reporting path already.

Frameworks that turn up in the room

Industry frameworks, regulations and audit standards for mining services in Australia.

Prime-contractor security questionnaires: The specific wording varies by principal, but the content overlaps heavily: Essential Eight self-attestation, MFA enforcement, EDR, patching SLAs, staff training records, documented incident response, named security contact. We keep an internal crib of the common asks so your next prequal response takes a morning instead of a fortnight.
ACSC Essential Eight: The baseline cyber insurers and most principals reference. We move firms through the maturity levels without stopping the billable work, and we track evidence so the self-attestation is defensible if anyone checks.
Privacy Act 1988 + APPs: Any contractor personal data, including photos, rosters, certifications and licence data, sits under the APPs. Larger services firms sit above the $3M threshold and inherit the full obligations including Notifiable Data Breaches.
Site-specific operating procedures: Each principal's site has its own rules on what connects to site networks, what data leaves site, how visiting laptops are treated, and whether personal devices can touch any of it. We configure the endpoint and identity stack so your staff can comply without workarounds that defeat the policy.
Data sovereignty for geospatial and operational data: Drone imagery, LIDAR, tailings-dam monitoring, environmental telemetry. Much of it sits under contractual restrictions on where data can be stored and who can access it. We make sure the cloud platforms you already use are configured to respect those restrictions, with evidence you can produce on request.

Common questions

The things mining services clients ask us first.

We've been asked to complete a principal contractor's security questionnaire. Can you help?: Yes. We've done enough of them for mining services firms to know which questions are load-bearing. Typically the asks are MFA, EDR, patching, backups, offboarding, incident response, and cyber insurance. We answer with evidence, and where the answer is 'not yet,' we give you a remediation plan with dates the principal will accept.
Our field laptops go between remote sites, home, and the office. How do we keep them safe?: Treat the laptop as hostile to any network it's on, not trusted because it's behind an office firewall. Full-disk encryption, identity-based access to cloud platforms, EDR with an always-on posture, and no shared logins. Site-specific policies apply at the platform level, not by physical network. We set this up once and it scales as the fleet grows.
We run drone and LIDAR survey work. The data is enormous. Where should it live?: Depends on the principal's contractual restrictions and who your customers are. We'll help you pick a storage pattern that meets the data sovereignty requirements in your contracts, stays affordable as the raw-data library grows, and integrates with the analysis tools your team actually uses. We don't sell the storage, so we'll tell you which product is the best fit for your setup, not whichever one pays us the most.
Do you cover 24/7 incident response? Our operations run around the clock.: For CCP clients on Managed IT Complete, critical incident response is handled by our Australia-based team with defined SLAs for after-hours. We're not a 24/7 SOC, and if that's what you need we'll say so and help you pick one. For most mining services firms, the combination of an always-on monitoring stack, a defined IR playbook, and a responsive Australia-based team is the right fit. The outlier cases we'll flag upfront.
Mining services firms work with overseas principals and offshore contractors. Does that create issues?: It creates work, not issues. Cross-border data flow, export control on geospatial data in some jurisdictions, identity federation with overseas tenants, vendor risk assessments for offshore subcontractors. We've set this up for firms that operate across Australia, South-East Asia and Africa. It's detail work that benefits from being done properly once rather than patched later.

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.