Information technology (IT) executives within critical infrastructure organisations see a need for public-private threat intelligence sharing partnerships (86 per cent of respondents) to keep pace with escalating cybersecurity threats. That is according to a survey by The Aspen Institute and Intel Security.
A majority (76 per cent) of survey respondents also indicated they believe a national defence force should respond when a cyber attack damages a critical infastructure company within national borders. Additionally, although most respondents agree that threats to their organisations are on the rise, they maintain a high degree of confidence in existing security.
The survey, Holding the Line Against Cyber Threats: Critical Infrastructure Readiness Survey, reveals that the critical infrastructure providers surveyed are pleased with the results of their efforts to improve cybersecurity over the last three years, but at the same time many (72 per cent) said that the threat level of attacks was escalating. Almost half of all respondents (48 per cent) believe it is likely that a cyberattack on critical infrastructure, with the potential to result in the loss of human life, could happen within the next three years.
Clark Kent Ervin, Director, Homeland Security Program, Aspen Institute, said: “This data raises new and vital questions about how public and private interests can best join forces to mitigate and defend against cyberattacks. This issue must be addressed by policymakers and corporate leaders alike.”
Survey results suggest there may be a disconnect between critical infrastructure providers and threats:
· Perceived Improvements: Respondents believe their own vulnerability to cyberattacks has decreased over the last three years. When asked to evaluate their security posture in retrospect, 50 per cent reported that they would have considered their organisations “very or extremely” vulnerable three years ago; by comparison, only 27 per cent believe that their organisations are currently “very or extremely” vulnerable.
· Government Involvement Encouraged: Private industry is often hesitant when it comes to government’s involvement in private sector business; however, 86 per cent of respondents believe that cooperation between the public and private sectors on infrastructure protection is critical to successful cyber defence. Furthermore, 68 per cent of respondents believe their own government can be a valuable and respectful partner in cybersecurity.
· Confidence in Current Solutions: Sixty-four percent believe an attack resulting in fatalities has not happened yet because good IT security is already in place. Correspondingly, more than four in five are satisfied or extremely satisfied with the performance of their own security tools such as endpoint protection (84 per cent), network firewalls (84 per cent), and secure web gateways (85 per cent).
· Disruptions Increasing: More than 70 per cent of respondents think the cybersecurity threat level in their organisation is escalating. Around nine in ten (89 per cent) respondents experienced at least one attack on a system within their organisation, which they deemed secure, over the past three years, with a median of close to 20 attacks per year. 59 per cent of respondents stated that at least one of these attacks resulted in physical damage.
· Loss of life?: Forty-eight percent of respondents believe it is likely that a cyberattack that will take down critical infrastructure with potential loss of life will occur within the next three years, although there were no additional survey questions to determine the circumstances under which respondents believed the loss of life could occur. More US respondents thought this scenario was “extremely likely” to occur than did their European counterparts.
· User Error still number one issue: Respondents believe user error is the greatest cause of successful attacks on critical infrastructure. Organisations may strengthen their security postures, but individual employees can still fall victim to phishing emails, social engineering and drive-by browser downloads that infect their organisations’ networks.
· Government response: Seventy-six percent of respondents believe a national defence force should respond when a cyber attack damages a critical infastructure company within national borders.
Chris Young, Executive Vice President and General Manager of Intel Security, will be speaking at the Aspen Security Forum in Aspen, Colorado.
Methodology
The survey, conducted by Vanson Bourne, interviewed 625 IT decision makers with influence over their organisation’s security solutions in France, Germany, the United Kingdom and the United States (250 interviews in the US and 125 in each of the UK, France and Germany). Respondents were from the private and public sectors (minimum of 500 employees), with focus on the critical infrastructure sectors of energy (139 respondents), transport (130), finance (159) and government (128).
