Ponemon recently published its report on the “State of IT Security: Study of Utilities and Energy Companies” to gain insight into the mindset of those on the front lines of securing global energy and utility systems. The study, sponsored by Q1 Labs, took in responses from 291 IT security professionals and these companies, with some startling results.
Among the organization’s management, 71% of respondents felt that C-level executives did not appreciate the need or value of IT security, while only 39% felt their organization took necessary measures to prevent advanced persistent threats. A further 77% said that compliance with NERC and other industry regulations was not a priority where they worked.
“One of the scariest points that jumped out at me is that it takes, on average, 22 days to detect insiders making unauthorized changes, showing just how vulnerable organizations are today,” noted Dr. Larry Ponemon, founder and chairman of the Ponemon Institute.
“These results show that energy and utilities organizations are struggling to identify the relevant issues that are plaguing their company from a security perspective. They have to bridge the gap between operations and IT, and make IT security a top priority within the organization.”
And proof of these fears is apparently in the data. According to the survey, 75% of energy companies have experienced a data breach in the last year, with a further 69% of their IT practitioners admitting that a breach is “very likely or likely to occur” in the next 12 months.
Each data breach, said the survey, cost the organization $156,000 on average.
The respondents pegged “malicious insiders” as the primary cause of data breaches, with 43% saying it was the largest threat facing their organization.
“We were really taken aback by some of the results – especially that 71% of respondents believe that C-level executives don’t understand or appreciate security initiatives. This is further demonstrated by the statistic that the physical security budget is about ten times the information security budget,” said Tom Turner, senior VP of marketing at Q1 Labs.
“IT security in these organizations has the challenging task of protecting critical Infrastructure against breach” he added. “Against a backdrop of WikiLeaks, the Nasdaq Hack, the RSA breach, and the energy-specific Stuxnet virus, we have found that customers are crying out” for a solution.