New research from Unisys and the Ponemon Institute underscores that many critical infrastructure companies remain challenged when it comes to security.
According to the survey, nearly 70 percent of the 599 respondents have reported at least one security breach that led to the loss of confidential information or disruption of operations in the past 12 months. The survey took place between April and May, and included responses from security executives from utility, oil and gas, energy and manufacturing companies.
According to the survey, 64 percent of the respondents said they anticipated one or more serious attacks in the coming year. However despite this risk, only 28 percent ranked security as one of the top five strategic priorities for their organization.
“The findings of the survey are startling, given that these industries form the backbone of the global economy and cannot afford a disruption,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement. “While the desire for security protection is apparent among these companies, not nearly enough is actually being done to secure our critical infrastructure against attacks.”
In the study, respondents indicated that immediate concerns like minimization of downtime take precedence over cyber-attacks and compliance. Sixty percent cited minimization of downtime as a top security objective, while 44 percent cited preventing cyber-attacks as a top objective. Additionally, the majority of companies (58 percent) said their organization was vetting contractors, vendors and other third-parties for high security standards either partially or not at all.
Just 17 percent of respondents describe their organization’s IT security program or activities as “mature.” Those who had suffered a data breach within the past year most often attributed the breaches to an internal accident or mistake, with negligent insiders cited the most as a threat to security. Just six percent said they provide cyber-security training for all their employees.
The survey also put a spotlight on fears of attacks targeting industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems. When asked about the probability of an attack on their organizations’ ICS or SCADA systems, 78 percent of senior security officials stated a successful attack is at least somewhat likely within the next two years. Only 21 percent said the risk levels to ICS SCADA systems have decreased because of regulations and industry-based security standards.
“Whether malicious or accidental, threats from the inside are just as real and devastating as those coming from the outside,” said Dave Frymier, chief information security officer at Unisys, in a statement. “We hope the survey results serve as a wake-up call to critical infrastructure providers to take a much more proactive, holistic approach to securing their IT systems against attacks. Action should be taken before an incident occurs, not just after a breach.”