Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Almost 70 Percent of Critical Infrastructure Companies Breached in Last 12 Months: Survey

New research from Unisys and the Ponemon Institute underscores that many critical infrastructure companies remain challenged when it comes to security.

New research from Unisys and the Ponemon Institute underscores that many critical infrastructure companies remain challenged when it comes to security.

According to the survey, nearly 70 percent of the 599 respondents have reported at least one security breach that led to the loss of confidential information or disruption of operations in the past 12 months. The survey took place between April and May, and included responses from security executives from utility, oil and gas, energy and manufacturing companies.

According to the survey, 64 percent of the respondents said they anticipated one or more serious attacks in the coming year. However despite this risk, only 28 percent ranked security as one of the top five strategic priorities for their organization.

“The findings of the survey are startling, given that these industries form the backbone of the global economy and cannot afford a disruption,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement. “While the desire for security protection is apparent among these companies, not nearly enough is actually being done to secure our critical infrastructure against attacks.”

In the study, respondents indicated that immediate concerns like minimization of downtime take precedence over cyber-attacks and compliance. Sixty percent cited minimization of downtime as a top security objective, while 44 percent cited preventing cyber-attacks as a top objective. Additionally, the majority of companies (58 percent) said their organization was vetting contractors, vendors and other third-parties for high security standards either partially or not at all. 

Just 17 percent of respondents describe their organization’s IT security program or activities as “mature.” Those who had suffered a data breach within the past year most often attributed the breaches to an internal accident or mistake, with negligent insiders cited the most as a threat to security. Just six percent said they provide cyber-security training for all their employees.

The survey also put a spotlight on fears of attacks targeting industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems. When asked about the probability of an attack on their organizations’ ICS or SCADA systems, 78 percent of senior security officials stated a successful attack is at least somewhat likely within the next two years. Only 21 percent said the risk levels to ICS SCADA systems have decreased because of regulations and industry-based security standards.

“Whether malicious or accidental, threats from the inside are just as real and devastating as those coming from the outside,” said Dave Frymier, chief information security officer at Unisys, in a statement. “We hope the survey results serve as a wake-up call to critical infrastructure providers to take a much more proactive, holistic approach to securing their IT systems against attacks. Action should be taken before an incident occurs, not just after a breach.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.