New global research from Unisys finds alarming gaps in the security of the critical infrastructure organisations. Nearly 70 percent of executives surveyed at companies responsible for power, water and other critical functions globally, and 86 percent of those in Australia and New Zealand, have reported at least one security breach that led to the loss of confidential information or disruption of operations in the past 12 months.
To explore how utility, oil, gas, alternate energy and manufacturing organisations are addressing cyber security threats, Unisys commissioned the Ponemon Institute to survey 599 business and IT decision makers across 13 countries, including 49 from Australia and New Zealand (ANZ).
Only ten percent of ANZ respondents describe their organisation’s IT security program or activities as mature. And those who suffered a data breach in the past year most often attributed these breaches to an internal accident or mistake (50 percent), and negligent insiders (21 percent). Despite these findings, only 6 percent of respondents said they provide cybersecurity training for all employees.
The survey found 67 percent of ANZ respondents anticipated one or more serious attacks in the coming year. Despite this risk, only 18 percent ranked security as one of the top five strategic priorities for their organisations. Yet a majority, 65 percent, named their top business priority as minimising downtime.
“It is surprising that so many utilities organisations have not made security a strategic business priority, given how dependent our economy is on such critical infrastructure,” said Mr John Kendall, security program director, Unisys Asia Pacific. “The increased dependence of critical infrastructure on IT systems, and the interconnectedness of those systems, means that these organisations are increasingly vulnerable to cyber security failures that may result in data breaches or downtime.
“What’s more, failure in one area of infrastructure can create outages in others – in a domino effect. In this region, we know the flow-on impact of outages caused by natural disasters like floods, bushfires and earthquakes. It is therefore essential to prevent further outages and breaches caused by cyber security failures. We hope the survey results serve as a wake-up call to critical infrastructure providers to take a much more proactive, holistic approach to securing their IT systems,” said Mr Kendall.
Almost half (48 percent) of ANZ critical infrastructure providers surveyed said they had suffered security incidents due to the use of insecure networks, and one in three (33 percent) were caused by unmanaged mobile devices and employee use of social networks.
ANZ respondents cited negligent insiders (47 percent), denial of service attacks (41 percent) and system glitches (39 percent) as their top security threats. They also rated the technologies most effective to foster security objectives to be encryption of data in motion, automated code review and debuggers and data loss prevention systems.
The survey also highlighted concerns regarding the security of industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems, which monitor and control the processes and operations for power generation and other critical infrastructure functions. When asked about the likelihood of an attack on their organisations’ ICS or SCADA systems, 79 percent of the ANZ senior security officials responded that a successful attack is at least somewhat likely within the next 24 months. Just 4 percent of ANZ respondents (compared to 21 percent globally) thought that the risk level to ICS and SCADA has substantially decreased because of regulations and industry-based security standards, which means that tighter controls and better adoption of standards are needed.
The full report can be viewed here