Industrial Businesses Know They Need More Cybersecurity; Don't Do Much About It
According to a recent survey by independent research organization Ponemon Institute and Unisys, industrial cybersecurity is a lot like diet and exercise. Most of us know we should do a lot more of it than we do—but we don't.
The study, "Critical Infrastructure: Security Preparedness and Maturity," found big security gaps in the world's critical infrastructure organizations that could impact their ability to prevent devastating attacks to disrupt power generation and other critical functions. The study surveyed 599 global IT and IT security executives at utility, oil and gas, alternate energy and manufacturing organizations in 13 countries from April to May 2014. These industries have become high-risk targets for cybersecurity incidents.
So what are companies waiting for?
Reasons cover everything from lack of knowledge about threat severity to worry about the cost-effectiveness of remedial efforts and the effect they might have on uptime. A full one-third of those surveyed reported they were unaware of the potential vulnerabilities in their ICS/SCADA environment, and another 19% said they were unsure about the degree of threat.
The perception that much of their corporate network is out of the control of those responsible for security is another factor. Sixty-eight percent said that up to a quarter of their network components, including third-party endpoints such as smartphones and home computers, are outside the direct control of their organization's security operations. Another 30% estimate that between one-quarter and three-quarters of their networks are out of their control.
Finally, there's that "is-it-worth-it" factor. When asked whether they were confident they could upgrade legacy systems to improve security while maintaining operation functionality and cost-effectiveness, more than half said they were not very confident or unsure.
The complete report is available at www.unisys.com.