Recently, a research report titled “Intelligence Driven Cyber Defense,” was issued by Ponemon Institute (Traverse City, Mich.; www.ponemon.org) with the purpose of elucidating if and how organizations were improving their ability to reduce cyber-related risks. The report, which was sponsored by Lockheed Martin (London; www.lockheedmartin.com), represents survey results of 678 U.S. information technology (IT) security practitioners, and points out a number of interesting findings.
A growing cross-industry problem
According to the report, 75% of respondents said there had been an increase in the severity of cyber attacks experienced by their organizations, and 68% said there had been an increase in frequency of these attacks. However, only 33% answered that their organizations were more effective in defending against cyber incidents than a year ago. In fact, 24% said their security posture was less effective and most (43%) said there was no change in the past year.
The respondents of the survey represent organizations in the chemical process industries (CPI; 24% were from a combination of energy, oil-and-gas, pharmaceutical and chemical sectors), financial services (21%), the Federal government (18%), healthcare (17%), utilities (16%) and other industries (4%). Cybersecurity is clearly an area of growing concern across industry sectors.
One of the key findings summarized in the report is that the greatest cyber threat is seen as coming from inside an organization. Most respondents (37%) chose “malicious insiders” as being of more concern than potential attacks from criminal (26%) or other sources.
Another interesting finding is that while more respondents cited “user awareness” (25%) and “supply chain” (24%) as potentially having a larger impact on security than risks posed by mobile (20%) and cloud devices (18%), they said that only a small amount of funding was going to those top two areas. A total of 19% of available budget was said to be spent on user awareness and supply chain combined, whereas a disproportionate amount of the budget was allocated to mobile-device and cloud security (combined, 61% of spending).
When asked to rank the most negative consequences of a cyber attack, the survey takers cited the top five as: lost intellectual property; reputation damage; disruption to business; productivity decline and damage to critical infrastructure.
Overall, insufficient resources or budget was considered the biggest impediment to achieving a stronger cybersecurity defense, which is particularly interesting in light of the fact that responders felt the available budget was not being allocated to the areas of greatest need. The second largest barrier to better cybersecurity was said to be “insufficient visibility of people and business processes,” and the third was lack of skilled personnel.
Taking the time to understand the potential areas of weakness in the complex cybersecurity arena can help organizations prioritize their resources. For example, one conclusion of this report, as one might expect, is to prioritize focus on the insider threat. ■
For more on cybersecurity, see Industrial Control Systems Security: The Owner-Operator’s Challenge, on www.chemengonline.com