July 20, 2015 by Canadian Underwriter
Information technology (IT) executives within critical infrastructure organizations see a need for public-private threat intelligence sharing partnerships to keep pace with escalating cybersecurity threats, according to a survey released on Monday by The Aspen Institute and Intel Security.
The survey involved “625 IT decision makers with influence over their organization’s security solutions” in France, Germany, the United Kingdom and the United States (250 interviews in the U.S. and 125 in each of the U.K., France and Germany). A majority of respondents (86%) wanted more public-private cooperation and three-quarters (76%) of survey respondents also indicated they believe a national defence force should respond when a cyberattack damages a critical infrastructure company within national borders.
Additionally, although most respondents agreed that threats to their organizations are on the rise, they maintain a high degree of confidence in existing security.
The survey, Holding the Line Against Cyber Threats: Critical Infrastructure Readiness Survey, revealed that the critical infrastructure providers surveyed are pleased with the results of their efforts to improve cybersecurity over the last three years, but at the same time many (72%) said that the threat level of attacks was escalating. Almost half of all respondents (48%) believe it is likely that a cyberattack on critical infrastructure, with the potential to result in the loss of human life, could happen within the next three years.
“This data raises new and vital questions about how public and private interests can best join forces to mitigate and defend against cyberattacks,” said Clark Kent Ervin, director, Homeland Security Program, Aspen Institute, said in a statement. “This issue must be addressed by policymakers and corporate leaders alike.” [click image below to enlarge]
Survey results did suggest there may be a disconnect between critical infrastructure providers and the current threat landscape:
• Perceived Improvements: Respondents believe their own vulnerability to cyberattacks has decreased over the last three years. When asked to evaluate their security posture in retrospect, 50% reported that they would have considered their organizations “very or extremely” vulnerable three years ago; by comparison, only 27% believe that their organizations are currently “very or extremely” vulnerable;
• Confidence in Current Solutions: Sixty-four percent believe an attack resulting in fatalities has not happened yet because good IT security is already in place. Correspondingly, more than four in five are satisfied or extremely satisfied with the performance of their own security tools such as endpoint protection (84%), network firewalls (84%), and secure web gateways (85%);
• Disruptions Increasing: More than 70% of respondents think the cybersecurity threat level in their organization is escalating. Around nine in ten (89%) respondents experienced at least one attack on a system within their organization, which they deemed secure, over the past three years, with a median of close to 20 attacks per year. Fifty-nine percent of respondents stated that at least one of these attacks resulted in physical damage;
• User Error Still #1 Issue: Respondents believe user error is the greatest cause of successful attacks on critical infrastructure. Organizations may strengthen their security postures, but individual employees can still fall victim to phishing emails, social engineering and drive-by browser downloads that successfully infect their organizations’ networks; and
• Different Country Perspectives: U.S. respondents believe the likelihood of a catastrophic cyberattack on critical infrastructure that could result in loss of life is more certain than do their European counterparts. While 18% of U.S. sources consider this scenario “extremely likely” to occur in the next three years, only 2% in Germany and 3% in the U.K. think it extremely likely.
The Aspen Institute is an educational and policy studies organization based in Washington, D.C. McAfee is now part of Intel Security, which is focused on developing proactive, proven security solutions and services that protect systems, networks and mobile devices for business and personal use around the world.