76 percent of energy companies admit to recent security breaches
Furthermore, 69 percent of organizations feel a data breach is very likely or likely to occur over the next 12 months
Waltham, Mass., April 7, 2011 — More than 75 percent of global energy organizations surveyed admit to having suffered at least one data breach over the last 12 months, according to a survey by Q1 Labs and the Ponemon Institute.
The survey polled 291 IT and IT security practitioners in utilities and energy companies with an average of 11 years of experience; the work of participants in the study involves securing the organization's information assets, enterprise systems or critical infrastructure.
The staggering results show a glaring disconnect between the C-suite of executives and those in the IT trenches when it comes to IT security.
"One of the scariest points that jumped out at me is that it takes, on average, 22 days to detect insiders making unauthorized changes, showing just how vulnerable organizations are today," said Dr. Larry Ponemon, founder and chairman of the Ponemon Institute. "These results show that energy and utilities organizations are struggling to identify the relevant issues that are plaguing their company from a security perspective. They have to bridge the gap between operations and IT, and make IT security a top priority within the organization."
* 71 percent of IT Security executives at global energy producers state that their executive management team does not understand or appreciate the value of IT Security.
* According to 43 percent of respondents, the top-ranked security threat their organization faces is negligent or malicious insiders and is the number one root cause of data breaches.
* 72 percent say initiatives are not effective at getting actionable intelligence (such as real-time alerts, threat analysis and prioritization) about actual and potential exploits.
* A mere 21 percent of global energy and utilities organizations feel that their existing controls are able to protect against exploits and attacks through smart grid and smart meter-connected systems.
* Only 39 percent of energy producers state that their organization's security program is dedicated to detecting or preventing Advanced Persistent Threats.
* 67 percent of energy organizations are not using what would be considered "state of the art" technologies to minimize risks to SCADA networks.
"We were really taken aback by some of the results – especially that 71 percent of respondents believe that C-level executives don't understand or appreciate security initiatives. This is further demonstrated by the statistic that the physical security budget is about 10X the information security budget," said Tom Turner, Senior Vice President of Marketing and Channels at Q1 Labs. "IT Security in these organizations has the challenging task of protecting Critical Infrastructure against breach. Against a backdrop of Wikileaks, the Nasdaq Hack, the RSA Breach, and the energy-specific Stuxnet virus, we have found that customers are crying out for Security Intelligence."
To view the "State of IT Security: Study of Utilities & Energy Companies" Executive Summary from Ponemon Institute, click here.