Companies providing the world’s critical infrastructure are woefully unprepared for cyberattacks despite the increasing threat level, evidenced by the release of the Stuxnet worm and the Shamoon virus in recent years, a survey conducted jointly by the Ponemon Institute and Unisys has found.
Nearly 70 percent of the 599 surveyed oil, gas, utility, energy and manufacturing companies in the past 12 months have reported at least one security breach that cost them confidential information or disrupted operations.
Further, 64 percent of the respondents expected one or more serious cyberattacks this year.
However, only 28 percent ranked security as one of the top five strategic priorities for their organization. On the other hand, a majority considered minimizing downtime their top business priority.
Most of the respondents that suffered data breaches over the past year attributed them to an internal mistake or accident.
Negligent insiders were the most cited threat to company security.
However, only 6 percent of respondents said they provided cybersecurity training for all employees.
“Numerous studies … across multiple industries have shown human error is the major source of breach,” Stu Sjouwerman, CEO, KnowBe4, told TechNewsWorld.
“Defense in depth, which includes stepping all employees through security awareness training to create a human firewall, is a vital step in preventing unauthorized access,” he said.
The breakroom training sessions conducted annually by many companies won’t do, Sjouwerman cautioned. “Effective training is now being offered, with real-world scenarios to keep security top of mind.”
The survey, conducted online from April to May, polled senior security executives from companies in 13 countries.
Cyberattacks against critical infrastructure companies have increased, Dwayne Melancon, CTO ofTripwire, told TechNewsWorld.
The problem is severe enough that Aegis, which provides liability and property insurance and related risk management services to the utility and energy industries, recently launched a new package, CyberResilience, that offers first- and third-party coverage for cyberattacks against operational technology and critical infrastructure in addition to data protection and privacy insurance.
However, awareness of cyberattacks has increased as well, with greater scrutiny, more continuous monitoring, and executive attention on the critical infrastructure, Melancon said, referring to a White House executive order issued in February of last year.
The National Institute of Standards and Technology in February unveiled a security framework in keeping with the executive order.
The framework “references globally accepted standards, guidelines and practices” so both U.S. and foreign organizations can use it to “efficiently operate globally and manage new and evolving risks,” Adam Sedgewick, senior information technology policy advisor at NIST, told TechNewsWorld.
NIST “has been actively sharing the framework with other countries,” he said.
The framework is voluntary, and there is no enforcement of adherence to its guidelines.
It could be that critical infrastructure companies are therefore not following the framework’s recommendations, because NIST’s guidance “is very daunting, and many agencies don’t know where to start,” Tripwire’s Melancon pointed out. So, they “either do nothing or try to do too much and fail, or they seek outside help.”
Certain aspects could be made mandatory, but this “could be tricky, because one size definitely doesn’t fit all when it comes to effective security,” Melancon said. “I prefer we focus on the universal IT capabilities that help all organizations … the first four controls of the SANS Top 20, which can be mapped to a subset of the NIST framework.”
Remember that compliance does not equal security, KnowBe4’s Sjouwerman pointed out.
“Former Target executives can tell you all about the audits they passed just before being taken out by user error,” Sjouwerman said. “All it takes is one click.”
The Target department store chain, which lost the credit card numbers of 40 million customers at its nearly 1,800 stores nationwide in what has been called the biggest data breach ever, ignored warnings generated by its recently installed alert system.
- Flaw in global energy facility software shows critical infrastructure risks
- DAPL-style protesters could face jail under new 'critical infrastructure' protection laws
- Split over Macquarie Infrastructure Corp board
- Nord Stream firms defend pipeline plans as criticism mounts
- Tanzania: Leading Chemical Company Opens Office in Tanzania
- Kenya: 350 Fishy Companies Blacklisted After Being Linked to Corrupt Deals at Kenya Power
- Samee Zafar: The new forms of payments are disruptive, bot still rely on the old banks infrastructure
- Entertainment infrastructure deficit offers N10bn investment opportunity
- Middlesex Water Company Breaks Ground on $52 Million Western Transmission Main
- NEC Approves $650M Seed Funding As FG Establishes Presidential Infrastructure Development Fund
- House panel approves bills to secure energy infrastructure
- Capitalizing on uncertainty: Staffing companies upend how workers find jobs
- Video: Elon Musk's Boring Company Reveals First Los Angeles 'Loop' Tunnel, Will Soon Offer Free Rides
- Researchers find critical flaws in the tech underpinning email encryption
- Construction company suing developers of stalled ‘midtown’ Portland project
- Fayetteville library critics applaud changes, urge voters to pass budget (Your letters)
- Tanzania: Lack of Quality Toilets a Drawback for Tanzania Stadia
- Africa: New Study Links African Conflict to Lack of Term Limits
- Nigeria: As 90 Million Nigerians Lack Electricity
- Nigeria: 'Lead Poison Leaves Over 7,000 Children, Women in Critical Health Condition'
Critical Infrastructure Companies Lack Cyberdefenses have 873 words, post on www.technewsworld.com at July 10, 2014. This is cached page on Health Breaking News. If you want remove this page, please contact us.