Executives at energy companies see themselves as being the most prepared for cyber attacks, according to the survey of 1580 companies in critical infrastructure industries in 15 countries conducted by Applied Research for Symantec. Other industries surveyed were banking and finance, IT, healthcare, and emergency services.
Mark Bregman, chief technology officer of Symantec, told Infosecurity that the communication industry’s response could be the result of the perception that they are at the front line of the cyber wars.
“My sense is that the guys in the communication sector feel that not only are they under attack themselves but any attack on anyone else goes through them. They feel like they are doubly under attack and therefore probably feel less prepared”, he said.
The survey also found that 53% of officials from critical infrastructure firms believe that their networks have suffered politically motivated cyber attacks an average of 10 times in the past five years.
Symantec defined a politically motivated cyber attack as “an attack that originates from a group or entity that is trying to achieve political objectives through a cyber attack”, Bregman said. These cyber attacks are intended to “cripple the facility”, he added.
“We don’t know the real motivation of an attack. But what we mean by [politically motivated attacks] are attacks that are not just hackers or criminals trying to steal money, but sophisticated, multidimensional attacks going after critical things in the enterprise….This could involve stealing intellectual property to give advantage to industry in a country; it could be getting more information about infrastructure controlled by the company for future use”, Bregman said.
In addition, critical infrastructure companies estimated that they have incurred an average cost of $850 000 as a result of politically motivated cyber attacks over the five-year period. Losses are as high as $1.7 million for larger companies.
According to the survey, 80% of those polled believe that the frequency of politically motivated cyber attacks is increasing, and 48% expect cyber attacks in the next year.
A full 90% of the companies surveyed said they are working with their government’s critical infrastructure protection (CIP) program, with 56% saying they are significantly or completely engaged. In addition, two-thirds of respondents have positive attitudes about CIP programs and are willing to cooperate with the government.
These result surprised Bregman. “Perhaps because I’m in Silicon Valley, which is not close to Washington, we have a lot more libertarian companies out here. I was surprised to see how many companies were involved in and interested in being involved in government programs.”
Only one-third of companies felt that they are “extremely prepared” against cyber attacks, and 31% felt less than “somewhat prepared”. Small companies reported that they feel the least prepared. Helping small companies with their cybersecurity efforts is a role that the government and industry associations should fill, Bregman said.
The most important thing that companies can do to improve their cybersecurity, according to Bregman, is to develop an information management strategy. He estimated that only between 1% and 10% of information housed by enterprises is critical information.
“Without having a strategy for how to manage that information and without understanding what information you have and classifying it, it becomes an insurmountable problem to protect everything. So the starting point needs to be an information strategy”, he said.