A new report indicates that while energy and utilities organisations across the globe have modernised their operations, their security approach has not kept up pace with cyber threats.
For the 12th annual edition of the ‘CyberArk Global Advanced Threat Landscape Report’ earlier this year Vanson Bourne surveyed 1,000 IT security decision-makers and C-level executives across seven countries worldwide: the US, UK, France, Germany, Israel, Singapore and Australia.
The survey indicates that over half (53 per cent) of those surveyed have suffered a business impact from an attack in the previous three years.
45 per cent of energy/utilities organisations believe they cannot prevent attackers from breaking into their internal networks each time it is attempted.
This view is shared by attackers: A 2018 survey by Nuix found that 71 per cent of attackers believed that they could breach the perimeter of a target within 10 hours.
In terms of perceived threat actors, hackers ranked first, with 78 per cent of respondents stating they were among their top three greatest threats to critical assets.
Organised crime (46 per cent) and hacktivists (46 per cent) also ranked highly – while attempted attacks from actual market competitors (34 per cent) was a surprise threat concern this year.
External attacks such as phishing were named as the top security risk to energy/utilities organisations, cited by 60 per cent.
This was followed by ransomware / malware-based attacks (59 per cent), shadow IT practices (45 per cent), insider threats (41 per cent), management of cloud (41 per cent) and unmanaged privileged access (34 per cent).
Security barriers to digital transformation and the privilege priority
The survey finds that as energy/utilities organisations increase investments in automation and agility, a general lack of awareness about the existence of privileged credentials – across DevOps, robotic process automation (RPA) and in the cloud – is compounding risk.
Preventing this lateral movement is a key reason why organisations are mapping security investments against key mitigation points along the cyber kill chain, with 28 per cent of total planned security spend in the next two years expected to focus on stopping privilege escalation and lateral movement.
While survey respondents view privileged access security as a core component of an effective cybersecurity program, this understanding has not yet translated to action for protecting foundational digital transformation technologies.
84 per cent state that IT infrastructure and critical data are not fully protected unless privileged accounts, credentials and secrets are secured.
Despite this, only 49 per cent have a privileged access security strategy in place for protecting business-critical applications and cloud infrastructure respectively, with even fewer having a strategy for DevOps (35 per cent) or Internet of Things (32 per cent).
Additionally, only 21 per cent understood that privileged accounts, credentials and secrets exist in containers, 24 per cent understood that they exist in source code repositories and 30 per cent understood that they are present in privileged applications and processes such as RPA.
“Organisations are showing increasing understanding of the importance of mitigation along the cyber kill chain and why preventing credential creep and lateral movement is critical to security,” said Adam Bosnian, executive vice president, global business development, CyberArk.
“But this awareness must extend to consistently implementing proactive cybersecurity strategies across all modern infrastructure and applications, specifically reducing privilege-related risk in order to recognise tangible business value from digital transformation initiatives.”
Compliance resistance and reactive mindsets persist
Despite the shift toward more risk-aware security investment and practices, persisting levels of cybersecurity inertia and reactive mindsets continue to put sensitive data, infrastructure and assets at risk.
41 per cent of respondents state that their organisation would prefer to pay a fine for losing data after a successful cyber-attack rather than change their security policy.
The survey also examines the impact of major regulations around the world, with one of them being Australia’s Data Breach Notification Law.
62 per cent of Australian respondents reported that they were completely prepared to comply with the entirety of the statute, which came into force in February 2019.
The full ‘CyberArk Global Advanced Threat Landscape 2019 Report’ can be found online here.