Related Stories

Top 5 Stories


Critical infrastructure firms woefully short on cybersecurity spending

02 February 2012

US critical infrastructure companies would need to spend nine times more on cybersecurity in order to prevent a surprise digital assault, according to a new report by Bloomberg Government and the Ponemon Institute.

The 172 US critical infrastructure organizations surveyed in the study said that they currently spend $5.3 billion on cybersecurity. They estimated that they would have to spend $46.6 billion over the next 12 to 18 months to reach a level of security where they could stop 95% of cyberattacks.

To reach a more attainable level, that is, being able to stop 84% of cyberattacks, the companies estimated that they would have to double spending over the next 12 to 18 months.

The companies estimated that they are currently able to detect between 86% and 89% of cyberattacks, and able to prevent between 67% and 76% of those attacks.

“The consequences of a successful attack against critical infrastructure makes these cost increases look like chump change. It would put people into the Dark Ages”, commented Larry Ponemon, chairman of the Ponemon Institute.

Ponemon surveyed IT security managers at 124 companies in six industries and 48 public sector organizations for the report. The six industries were agriculture and food services, communications, energy, financial services, health care, and transportation.

“In order to reach a substantially more secure level, there might be other models that industry will have to pursue”, commented Afzal Bari, financial analyst with Bloomberg Government’s Technology & Telecommunications Group.

“Right now cybersecurity spending is not getting the results that are optimal”, he told Infosecurity.

Bari was asked whether the government would need to step in and make up the funding gap to significantly improve cybersecurity of critical infrastructure. He said that the report did not take a position on this issue, but he noted that industry expressed concern that customers would not be willing to absorb the increased costs for greater cybersecurity.

At the same time, the respondents said that an increase in spending during the next 12 to 18 months would allow them to cut in half the percentage of false alarms, saving money and improving security by focusing more resources on legitimate attacks.

The companies said they spend the largest share of their cybersecurity budgets on governance and control activities, which include employee security training and awareness, regulatory compliance, and reviewing network access logs.

Annual cybersecurity spending varied among industries, ranging from $16 million per company in the agriculture and food services industry to $67 million per company in the communications industry.

This article is featured in:
Business Continuity and Disaster Recovery  •  Internet and Network Security  •  Public Sector  •  Security Training and Education


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×