- 7 October 2010 11:27
Half of Critical Infrastructure Providers Have Experienced Perceived Politically Motivated Cyber Attacks
SYDNEY, Australia – 7 October, 2010 – Symantec Corp. (Nasdaq: SYMC) today released the findings of its 2010 Critical Information Infrastructure Protection (CIP) Survey , which highlights that 53 per cent of critical infrastructure providers report that their networks have experienced what they perceived as politically motivated cyber attacks. Participants claimed to have experienced such an attack on an average of 10 times in the past five years, incurring an average cost of $850,000 to their businesses. Survey participants from the energy industry reported that they were best prepared for such an attack, while participants from the communications industry reported that they were the least prepared. Critical infrastructure providers represent industries that are of such importance either to a nation’s economy or society that if their cyber networks were successfully attacked and damaged, the result would threaten national security.
“Critical infrastructure protection is not just a government issue. In countries where the majority of a nation’s critical infrastructure is owned by private corporations -- in addition to large enterprises -- there is also the significant presence of small and medium-sized businesses,” said Justin Somaini, chief information security officer at Symantec Corp. “Security alone is not enough for critical infrastructure providers of all sizes to withstand today’s cyber attacks. The Stuxnet worm that is targeting energy companies around the world represents the advanced kind of threats that require security, storage, and back-up solutions, along with authentication and access control processes to be in place for true network resiliency.”
* Critical infrastructure providers are being attacked. Fifty-three per cent of companies suspected they had experienced an attack waged with a specific political goal in mind. Of those hit, the typical company reported being attacked 10 times in the past five years. Forty-eight per cent expect attacks in the next year and 80 per cent believe the frequency of such attacks is increasing.
* Attacks are effective and costly. Respondents estimated that three in five attacks were somewhat to extremely effective. The average cost of these attacks was $850,000 over five years.
* Industry is willing to partner with government on CIP. Nearly all of the companies (90 per cent globally, 93 per cent in Australia) said they have engaged with their government’s CIP program, with 56 per cent (60 per cent in Australia) being significantly or completely engaged. In addition, two-thirds (69 per cent in Australia) have positive attitudes about programs and are somewhat to completely willing to cooperate with their government on CIP.
* Room for readiness improvement. Only one-third (27-33 per cent in Australia) of critical infrastructure providers feel extremely prepared against all types of attacks and 31 per cent (31-33 per cent in Australia) felt less than somewhat prepared. Respondents cited security training, awareness and comprehension of threats by executive management, endpoint security measures, security response, and security audits as the safeguards that needed the most improvement. Finally, small companies reported being the most unprepared.
Recommendations to ensure resiliency against critical infrastructure cyber attacks:
* Develop and enforce IT policies and automate compliance processes. By prioritising risks and defining policies that span across all locations, organisations can enforce policies through built-in automation and workflow and not only identify threats but remediate incidents as they occur or anticipate them before they happen.
* Protect information proactively by taking an information-centric approach. Taking a content-aware approach to protecting information is key in knowing who owns the information, where sensitive information resides, who has access, and how to protect it as it is coming in or leaving your organisation. Utilise encryption to secure sensitive information and prohibit access by unauthorised individuals.
* Authenticate identities by leveraging solutions that allow businesses to ensure only authorised personnel have access to systems. Authentication also enables organisations to protect public facing assets by ensuring the true identity of a device, system, or application is authentic. This prevents individuals from accidentally disclosing credentials to an attack site and from attaching unauthorised devices to the infrastructure.
* Manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.
* Protect the infrastructure by securing endpoints, messaging and Web environments. In addition, defending critical internal servers and implementing the ability to back up and recover data should be priorities. Organisations also need the visibility and security intelligence to respond to threats rapidly.
* Ensure 24x7 availability. Organisations should implement testing methods that are non-disruptive and they can reduce complexity by automating failover. Virtual environments should be treated the same as a physical environments, showing the need for organisations to adopt more cross-platform and cross-environment tools, or standardise on fewer platforms.
* Develop an information management strategy that includes an information retention plans and policies. Organisations need to stop using backup for archiving and legal holds, implement deduplication everywhere to free resources, use a full-featured archive system and deploy data loss prevention technologies.
Recommendations for governments to promote critical infrastructure protection:
* Governments should continue to make resources available to establish critical infrastructure protection programs.
o The majority of critical infrastructure providers confirm that they are aware of critical infrastructure programs.
o Furthermore, a majority of critical infrastructure providers support efforts by the government to develop protection programs.
* Governments should partner with industry associations to develop and disseminate information to raise awareness of CIP organisations and plans. Specific information should include how a response would work in the face of a national cyber attack, what the roles of government and industry would be, who the specific contacts are for various industries at a regional and national level, and how government and private business would share information in the event of an emergency.
* Governments should emphasise that security alone is not enough to stay resilient in the face of today’s cyber attacks. In addition, critical infrastructure providers and enterprises in general should also ensure that their information is stored, backed up, organised, prioritised, and that proper identity and access control processes are in place.
The survey was conducted in August 2010 and is based on 1,580 responses from 15 countries (150 Australian companies) and six industries categorised as critical infrastructure providers.
Connect with Symantec
* Symantec on Twitter
* Symantec on Facebook
* Symantec Connect Business Community
* View the full 2010 Symantec Critical Infrastructure Study (PDF)
* Access the 2010 Symantec Critical Infrastructure Study on SlideShare
* Critical Infrastructure Protection Infographic
* Blog: Critical Infrastructure Protection Providers’ Networks are being Attacked
* Internet Security Threat Report (PDF)
* State of Enterprise Security Report (PDF)
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organisations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.
NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please visit the Symantec News Room at http://www.symantec.com/news . All prices noted are in U.S. dollars and are valid only in the United States.
Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
+61 2 9954 3492