Despite the increasing number of major cyber attacks targeting critical infrastructure, technology and security professionals remain confident in their cyber defenses, revealing a disconnect between these executives and the reality of the current threat landscape, according to a recent report by Intel Security and the Aspen Homeland Security Program.
The Holding the Line Against Cyber Threats: Critical Infrastructure Readiness Survey, which was conducted by market research firm Vanson Bourne, interviewed 625 IT decision makers who have a hand in their organization’s security structure, including 250 from in the United States and 125 each from France, Germany and the United Kingdom.
Respondents included individuals were from both the public and private sectors, and representatives from organizations concentrating on energy, finance, government and transportation.
“Critical infrastructure organizations are under constant cyber attack, yet no publicly apparent, massive outage has occurred so far,” the report stated. Yet, “Energy producers, financial services, transportation companies, telecommunications companies and governments are all potential targets.”
According to the survey report, security executives’ confidence in their organization’s cybersecurity posture is rising as threats are escalating. Surprisingly, however, respondents did not make a connection between threat escalation and their own organization’s vulnerability.
The report revealed 75 percent of respondents are either confident or extremely confident in their organization’s cyber attack identification protocol, while 68 percent are confident in mitigation techniques and 65 percent are confident in deflection standards.
Respondents believe their own vulnerability to cyber attacks has decreased over the last three years, with only 27 percent feeling very or extremely vulnerable — compared to 50 percent three years ago.
“According to respondents, attack volume is increasing, security breaches are becoming a frequent occurrence and the rate of code vulnerabilities shows no signs of abating,” the report stated. “Yet, respondents across all countries and sectors in the survey believe their own vulnerability to cyber attack has declined.”
This overconfidence raises serious concerns, authorities said. Although many leaders believe proper cyber preparedness elements are in place, the sheer volume of actual threats targeting these organizations shows this confidence may be unfounded, which may be opening these organizations up to serious security incidents.
In many instances, serious breaches are spurred by simple mistakes. Demonstrating that no threat, no matter how small, should be overlooked, the report revealed, “Analysis of security incidents at a variety of organizations shows that many of them were breached due to basic security failures in the face of a determined and persistent attacker.”
Despite high confidence in their own defenses, US and French respondents in particular rate a serious cyber attack affecting critical services and causing loss of life as highly likely within the next three years. Respondents from the transportation and energy sectors were more likely than their counterparts in other sectors to deem the possibility of such an attack “likely or highly likely.”
However, 64 percent of respondents believe an attack resulting in fatalities has not happened yet because good IT security is already in place.
Respondents maintained that human error remains the number one cause of successful cyber intrusions. No matter what organizations do to strengthen their security postures, individual employees can still fall victim to phishing emails, social engineering and drive-by browser downloads that successfully infect their organizations’ networks.
Interestingly, few executives believe that the proliferation of personal devices at work is a prime cause of cyber attacks, despite the priority assigned to bring-your-own device — BYOD — issues by cybersecurity companies.
In addition, increasing cooperation between the government and private sector is another important measure which can lead to better preparedness, with 86 percent of respondents indicating such teamwork is vital to a successful cybersecurity plan.
“While the security industry works on next-generation solutions and governments work on sensible legislation, there’s still more progress that needs to be made,” the report stated. “Adversaries are innovating at a rapid pace, and countering their progress will take much closer cooperation between government and industry. Organizations and government agencies operating in silos do not help the cybersecurity landscape grow more secure.”
Government and the private sector can join together to take positive steps toward change. Investments in technology to grow functionality and education are critical in addressing cybersecurity concerns.
“This data raises new and vital questions about how public and private interests can best join forces to mitigate and defend against cyber attacks,” said Clark Kent Ervin, director of the Aspen Institute’s Homeland Security Program and former DHS Inspector General. “This issue must be addressed by policymakers and corporate leaders alike.”
To enhance security architecture, the report suggests enhancements to next-generation cyber defense technology, as well as improvements to security management tools, especially cooperation with and sharing of vital security data.
“Collaborating with any and all available resources is key to improving the future of security,” the report stated. “Reducing critical infrastructure risk is a global strategic challenge, requiring much broader sharing of IT strategies and targeted threat intelligence.”