A recent survey of 599 security executives at utility, oil and gas, energy and manufacturing companies in 13 countries has found that 67 percent have experienced at least one security breach in the past 12 months that led to the loss of confidential information or the disruption of operations.
The survey [PDF], conducted by the Ponemon Institute and sponsored by Unisys, also found that 64 percent of respondents anticipate one or more serious attacks in the coming year — and fully 78 percent anticipate an attack on their organizations’ industrial control systems (ICS) or supervisory control and data acquisition (SCADA) systems within the next year.
Still, only 28 percent of respondents ranked security as one of the top five strategic priorities for their organization; 60 percent of respondents said their top business priority was minimizing downtime.
And 34 percent of respondent said their companies don’t get real-time alerts, threat analysis or threat prioritization intelligence that could be used to stop or mitigate an attack, and among those that do receive such intelligence, 22 percent say it’s not effective.
“The findings of the survey are startling, given that these industries form the backbone of the global economy and cannot afford a disruption,” Ponemon Institute chairman and founder Dr. Larry Ponemon said in a statement. “While the desire for security protection is apparent among these companies, not nearly enough is actually being done to secure our critical infrastructure against attacks.”
Among the respondents who had suffered a data breach within the past year, 47 percent attributed the breach to an accident or mistake, and negligent insiders were the most cited threat to company security — but only 6 percent of respondents provide cyber security training for all employees.
“Whether malicious or accidental, threats from the inside are just as real and devastating as those coming from the outside,” Unisys CISO Dave Frymier said in a statement. “We hope the survey results serve as a wake-up call to critical infrastructure providers to take a much more proactive, holistic approach to securing their IT systems against attacks.”
The report [PDF] recommends three key actions that companies can take to decrease the likelihood of future cyber security incidents:
- Develop an all-encompassing security strategy that aligns security with business strategies and goals, providing a roadmap to follow
- Manage identities and entitlements to provide the highest level of identity assurance and reduce critical employee errors
- Isolate and clock endpoint devices to hide them from probing malware
In May 2014, the U.S. Department of Homeland Security acknowledged that an unidentified public utility in the U.S. had been compromised by a sophisticated hacker group, stating, “This incident highlights the need to evaluate security controls employed at the perimeter.”
And last month, the U.K.’s Serious Crime Bill proposed life sentences for hackers who caused loss of life, serious injury or serious damage to national security. “Our reliance on computer systems and the degree to which they are interlinked is ever increasing, and a major cyber attack on our critical infrastructure would have grave consequences,” U.K. minister for organized crime Karen Bradley said at the time.