Thales has released its 2024 Critical Infrastructure report this week with its findings indicating critical infrastructure organisations are not only increasingly victims of ransomware attacks, but planning for such attacks remains poor.
The report was released ahead of Australia’s Security of Critical Infrastructure Act (SOCI) coming into effect on August 17, 2024, forcing a wide range of organisations from critical industries to comply with stricter security and risk management processes.
Findings from the Thales research show that critical infrastructure (CI) organisations are not only victims of ransomware attacks (24% reported having experienced an attack in the past 12 months), but planning is still poor, with only 15% saying they would follow a formal plan in the event of an attack. This comes as human error is the leading cause of cloud-based data breaches, and external identity being identified as an emerging security concern, while achieving security consistency across workforce and non-workforce identities is one of the top challenges.
Further, a significant portion of critical infrastructure organisations are experimenting with AI and planning to integrate AI into their core products and services in the next 12 months, which raises more security concerns.
Key findings from the report include:
-
The proportion of critical infrastructure organisations that have ever experienced breaches remains high, with 42% of critical infrastructure organisations having experienced a breach in the past;
-
Encouragingly, recent critical infrastructure breach history (in the last 12 months) decreased from 22% in 2021 to 15% in 2024;
-
Worryingly though, ransomware attacks against critical infrastructure organisations continue growing, with 24% reporting that they have experienced an attack, a 4 points increase since the previous DTR Critical Infrastructure Edition report in 2022;
-
Planning is still poor, with only about 15% of critical infrastructure respondents saying they would follow a formal plan in the event of an attack;
-
Among critical infrastructure organisations, human error was the leading cause of cloud-based data breaches at 34%;
-
Failure to apply multifactor authentication to privileged accounts was another major cause, at 20%, 6 points higher than all respondents;
-
Critical infrastructure organisations continue to struggle with human error and multifactor authentication failures at rates higher than the overall population;
-
On average, one-sixth (16%) of all external critical infrastructure organisational access comes from customers;
-
Among survey respondents who cited external identity as an emerging security concern, achieving security consistency across workforce and non-workforce identities is one of the top challenges, cited by 61% of critical infrastructure respondents;
-
Among respondents who cited cloud/DevSecOps security as an emerging security concern, the greatest proportion cited secrets management (56%) as a top DevOps challenge, followed by workforce IAM issues such as privileged user management (53%);
-
Operational complexity remains a security concern, with 57% of critical infrastructure respondents reporting they use five or more key management systems, up slightly from 2022 (55%), while the percentage of critical infrastructure enterprises saying they have 50 or more SaaS apps in use showed a smaller uptick, from 33% in 2022 to 34% this year. These results show a stabilisation of hybrid IT complexity, but more simplification is needed;
-
Regarding threats from quantum computing, future compromise of classical encryption techniques, enabling harvest now, decrypt late attacks, is leading interest in post-quantum cryptography (69%). Among critical infrastructure respondents who identified post-quantum cryptography as an emerging security threat, 49% indicated they would likely create resilience contingency plans, and 48% said they would prototype or evaluate PQC algorithms in the next 18-24 months; and
-
The AI boom is underway: 26% of critical infrastructure respondent organisations plan to integrate AI into their core products and services in the next 12 months, and 29% are experimenting with AI. Despite their inherent criticality to the worldwide economy, critical infrastructure enterprises are embracing innovations in AI. Yet managing the associated fast-changing environmental risks is their greatest concern: 69% of critical infrastructure respondents said that ecosystem and operational alterations are their greatest, most concerning risks.
You can read the full report here.