There seems to be a recurring theme with executives and data security either not being high up on the agenda or being something that executives think is in good standing.  A recent Tripwire study, conducted by Dimensional Research, in the energy sector revealed the recurring theme of overconfidence, which is pretty scary when you look at what else the study reveals about the energy sector and cyberattacks.

  • 43% of energy executives are confident that their organization detects all cyberattacks compared to 17% of nonexecutives.

This shows that energy executives are twice as likely to believe their organization can detect every cyberattack compared to nonexecutives.  The problem with this level of confidence is the fact that the study also revealed the following:

  • In the last 12 months, 78% of the respondents, IT pros, said they experienced a cyberattack from an external source, and 30% have seen an attack from an inside employee.
  • 44% of the respondents indicated they have not gathered enough information to identify the sources of cyberattacks on their organizations.
  • 22% admitted their organizations do not have business processes to identify sensitive and confidential information.
  • More than 80% believe an attack will harm physical infrastructure this year.
  • 44% of those surveyed reported an increase between 50-100% in the rate of successful cyberattacks, while 21% said they increased between 20-50% and 19% reported an increase of between 10-20%.

These numbers show that organizations are detecting cyberattacks, but that more than 80% of the IT pros surveyed believe they will experience an attack that will bring about damage, which implies they don’t feel their organization has a strong enough security posture in place or that something will prevent them from stopping a cyberattack that will put the organization at risk.

 

It could be that IT pros, working in the trenches, recognize the tendency to shift from threat detection to threat prevention, which means less eyes on detecting attacks leaving room for a cyberattack to go undetected.  While energy executives are confident because they’re seeing the success their team has on detecting cyberattacks.

 

Also, the fact that there’s been an increase in attacks, unique to the energy sector, raises concerns if executives think their security program is good as is because this would imply executives don’t believe they need to do more when it comes to cybersecurity.  Additionally, the fact that some of these organizations do not have business processes in place that can identify sensitive and confidential information makes the skewed view of effective cyberattack security by executives even more dangerous.

 

As organizations try their best to catch up to hackers and protect sensitive data and the overall infrastructure, the CIO must find ways to help executives understand cybersecurity in its entirety.  This means making them aware of the need to approach risk management holistically and bringing in extra help if needed.

 

Allowing executives to have a false sense of security doesn’t benefit anybody, especially not organizations in the energy sector.  A CIO risks his/her job, but a successful cyberattack on a power plant puts more than just a job and the organization at risk.  Knowing when to ask for help is the first step, helping those in charge to see the value of taking action to get help is the second step, and then a move towards maintaining a truly effective security program.

 

What are you doing to ensure your organization has a security program in place that prevents a major catastrophe from taking place?

 

Photo courtesy of Ribah