- 14 November 2011 10:19
Symantec Survey Finds Global Critical Infrastructure Providers Less Aware and Engaged in Government Programs
Compared to 2010, companies surveyed this year show a CIP Participation Index of 82 per cent (73 per cent in Australia) in government protection programs, down 18 points from last year globally. Critical infrastructure providers come from industries that are of such importance that if their cyber networks were successfully attacked and disabled, it would result in an actual threat to national security.
“The findings of this survey are somewhat alarming, given recent attacks like Nitro and Duqu that have targeted critical infrastructure providers,” said Dean Turner, director, Global Intelligence Network for Symantec.
“Having said that, limitations on manpower and resources as mentioned by respondents help explain why critical infrastructure providers have had to prioritise and focus their efforts on more day-to-day cyber threats. However, we think that targeted attacks against critical infrastructure providers in the form of Stuxnet, Nitro and Duqu will continue. Businesses and governments around the world should be very aggressive in their efforts to promote and coordinate protection of critical industry cyber networks. These latest attacks are likely just the beginning of more targeted attacks directed at critical infrastructure.”
• Lower awareness and engagement in government CIP programs. This year, companies are generally less aware of their government’s CIP programs. Thirty-six per cent (thirty per cent in Australia) of respondents were somewhat or completely aware of the government critical infrastructure plans being discussed in their country compared to 55 per cent last year (66 per cent in Australia). In 2011, 37 per cent of companies (28 per cent in Australia) are completely or significantly engaged, versus 56 per cent in 2010 (60 per cent in Australia)
• Slightly more ambivalence about government CIP programs. The survey also revealed that companies are more ambivalent in 2011 than they were in 2010 about government CIP programs. For example, when asked to voice their opinion about government CIP programs, 42 per cent globally and locally had no opinion or were neutral. Also, companies are now slightly less willing to cooperate with CIP programs than they were one year ago (57 per cent versus 66 per cent globally and 56 per cent versus 72 per cent in Australia)
• Global Organisations feel less prepared. It is not surprising that as an organisation’s assessment of the threat drops, their readiness drops as well. Overall readiness on a global scale fell an average of eight points (from 60 to 63 per cent in 2011 compared with 68 to 70 per cent in 2010)
Recommendations to ensure resiliency against critical infrastructure cyber attacks:
• Develop and enforce IT policies and automate compliance processes. By prioritising risks and defining policies that span across all locations, organisations can enforce policies through built-in automation and workflow and not only identify threats but remediate incidents as they occur or anticipate them before they happen
• Protect information proactively by taking an information-centric approach to protect both information and interactions. Taking a content-aware approach to protecting information is key in knowing who owns the information, where sensitive information resides, who has access, and how it is coming in or leaving your organisation
• Manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status
• Protect the infrastructure by securing endpoints, messaging and Web environments. In addition, defending critical internal servers and implementing the ability to back up and recover data should be priorities. Organisations also need the visibility and security intelligence to respond to threats rapidly
• Ensure 24x7 availability. Organisations should implement testing methods that are non-disruptive and they can reduce complexity by automating failover. Virtual environments should be treated the same as physical environments, showing the need for organisations to adopt more cross-platform and cross-environment tools, or standardise on fewer platforms
• Develop an information management strategy that includes an information retention plan and policies. Organisations need to stop using backup for archiving and legal holds, implement deduplication everywhere to free resources, use a full-featured archive system and deploy data loss prevention technologies
Recommendations for governments to promote critical infrastructure protection:
• Governments should continue to put forth the resources to establish government critical infrastructure programs: o The majority of critical infrastructure providers confirm that they are aware of government critical infrastructure programs o Furthermore, a majority of critical infrastructure providers support efforts by the government to develop protection programs
• Governments should partner with industry associations and private enterprise groups to disseminate information to raise awareness of government CIP organisations and plans, with specifics about how a response would work in the face of a national cyber attack, what the roles of government would be, who the specific contacts are for various industries at a regional and national level, and how government and private business would share information in the event of an emergency
• Governments should emphasise that security is not enough to stay resilient in the face of today’s cyber attacks. Governments should also emphasise to critical infrastructure providers and enterprises that their information is stored, backed up, organised, prioritised, and that proper identity and access control processes are in place Symantec’s Critical Infrastructure Protection Survey Symantec’s Critical Infrastructure Protection Survey is the result of research conducted in August and September 2011 by Applied Research, which surveyed C-level, IT professionals in SMBs and enterprises in 14 industries specifically designated as critical infrastructure industries. The report was designed to examine awareness, engagement, and readiness with regards to government CIP programs. The survey included 3,475 organisations from 37 countries in North America, EMEA (Europe, Middle East and Africa), Asia Pacific, and Latin America.
About the CIP Participation Index The CIP Participation Index combines a blend of questions that gauge how engaged organisations are with their government’s CIP programs. It is normalised to 2010, our base model year. By convention, the 2010 CIP Participation Index is 100 per cent.
Resources • 2011 Critical Infrastructure Protection (CIP) Survey Report (PDF) • Infographic: Critical Infrastructure Protection • SlideShare: Symantec 2011 CIP Survey Global Results • The Nitro Attacks: Stealing Secrets From the Chemical Industry
Connect with Symantec • Follow Symantec on Twitter • Join Symantec on Facebook • Subscribe to Symantec News RSS Feed • Subscribe to Symantec’s SlideShare Channel • Visit Symantec Connect Business Community
About Symantec Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organisations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.
NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please visit the Symantec News Room at http://www.symantec.com/news. All prices noted are in U.S. dollars and are valid only in the United States. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
Forward-looking Statements: Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and are subject to change. Any future release of the product or planned modifications to product capability, functionality, or feature are subject to ongoing evaluation by Symantec, and may or may not be implemented and should not be considered firm commitments by Symantec and should not be relied upon in making purchasing decisions.
For more information please contact: Jasmin Athwal Max Australia M: 0414 967 088 P: +61 2 9954 3492 firstname.lastname@example.org