Research suggests growing unpreparedness from companies in the face of more threats
Cyber attack is a real and threatening enemy, and many companies in the power, oil, gas, and water industries are totally unprepared for it.
This is the harsh but realistic assessment provided in two reports in the last two years prepared by internet virus software specialist McAfee in conjunction with the Washington, DC-based Center for Strategic and International Studies (CSIS).
And what is particularly concerning is that despite some companies increasing their adoption of cyber protection measures, for most, cyber security remained rudimentary.
For instance, 44% of those surveyed reported only using username and password authentication for on-site network access. By contrast, less than one in five respondents used only tokens, while 3% only relied on biometric measures.
Offsite access was only slightly more restricted: 26% of respondents used only passwords, while about one-fifth only relied on tokens and a tiny 3% only used biometric authentication. Just 10% reported that off- site network access was entirely prohibited.
More sophisticated - and effective - security measures, such as tools to monitor network activity or to detect role anomalies, were adopted by a distinct minority (25% and 36%, respectively) of the respondents.
China had the highest security adoption rate overall, at 59%, followed by Italy and Japan at 55% and 54% respectively. In contrast, Brazil, France, and Mexico had the lowest security adoption rates, close to half the rate shown by the leaders. The UK was among countries were grouped closely together around the median of 43% despite the threat of attacks increasing.
A key problem, according to the latest report's authors, is that most governments are continuing to play an ambiguous role in cyber security, sometimes helping the private sector, sometimes ignoring it.
Perhaps surprisingly, China's government appears to play an aggressive role in demanding security from its critical infrastructure. Chinese executives who responded to the 2011 survey reported high levels of both formal and informal interaction with their government on security topics.
At the other end of the spectrum was the UK, along with Spain and the US, with more than a third of all respondents reporting no contact with government on cyber security. Most of the remainder said they only had informal exchanges on the topic. A similar pattern emerged when IT executives were asked whether their security plans were audited by government. Every one of the Japanese respondents reported undergoing such audits; in China seven out of 10 confirmed they took place.
In contrast, the lowest audit rates occurred in the UK, Spain and the US, which all scored below 20%.
Over half (57%) of the respondents to the latest McAfee/CSIS survey said they had launched special security audits because of concerns about the Stuxnet virus. Around 40% said they had found Stuxnet on their systems.
Stuxnet, say the reports' authors, was an extraordinary advance in sophistication over other kinds of malware. They cite it as a concrete demonstration that governments will develop malware to sabotage their adversaries' IT systems and critical infrastructure. It also shows that hostile governments can easily target the SCADA systems on which a nation's power, gas, oil water and sewage systems depend.
And the research confirms that the critical infrastructure sector has been slow to adjust to this increasingly sophisticated threat.
Four key recommendations are made: l Improved authentication measures, moving away from passwords to a higher reliance on tokens and biometric identifiers;
* Better hygiene of network systems to include increased use of encryption technologies;
* Increased oversight of access to industrial control systems, including how they access the internet, through active management of internet connections, mobile devices and removable media;
* Effective partnerships with governments, ranging from encouragement to mandatory action.
Copyright: Centaur Communications Ltd. and licensors
Комментариев нет:
Отправить комментарий