Only One-Third of Critical Infrastructure Firms are Extremely Prepared, Study Finds
Cyberattacks are a part of daily IT life, but attacks with specific political goals are increasingly frequent and costly, according to a new report, the Symantec 2010 Critical Infrastructure Protection Study.
Symantec's study examined trends in six infrastructure segments: energy, banking and finance, communications, IT, health care, and emergency services. Over half (53 percent) of all firms said they "suspected or were pretty sure they had experienced an attack waged with a specific political goal in mind." Of those experiencing an attack, firms typically reported 10 hits in the last five years, with banking and financial firms hit the most. Eighty percent of respondents think the level of such attacks is constant or increasing -- which should be worrisome, given that the average cost of an attack is $850,000, according to the report.
Symantec's insights are backed up by recent events. For example, Trusteer, a secure browsing service provider, says 11 Eastern European hackers were formally charged in the UK on September 29. The next day, 70 Eastern European hackers were charged in the U.S. with stealing $3 million from U.S. online bank accounts using the Zeus Trojan.
"The recent arrests in the U.S. and the UK indicate that financial fraud is not the business of individuals," according to Mickey Boodaei, Trusteer's CEO. "Behind these operations you can find groups of people which in many cases operate for larger organized crime groups. They have the money and the means to run large-scale, sustainable criminal online operations. As time goes by, we're seeing more groups which are larger, more efficient, and knowledgeable than before, and as a result much more successful. Zeus is being used around the world to attack individual customers, and big businesses are also being targeted, particularly in the U.S."
Boodaei said other cybercrime gangs are "almost certainly operating in other countries," possibly in continental Europe, Canada, and in the Asian-Pacific region, "running parallel criminal operations to the Zeus gangs in the UK and the U.S."
After reading the Symantec story, I was disappointed by how unprepared the surveyed firms are in the face of such attacks. When asked about the kinds of attacks, including attempts to steal electronic information, alter or destroy data, interference with networks (slowing or shutting down networks), or tampering with physical equipment, only a third reported being "extremely prepared;" another third (from 36 to 41 percent, depending on the type of attack) felt "somewhat prepared." Nearly a third (31 percent) of firms said they felt "less than somewhat prepared." In other words, unprepared.
Weak points in their preparedness include security training, "awareness and appreciation of threat by executive management," and a deficiency in endpoint security measures. Security response and security audits rounded out the list.
The good news is that industries are not just willing to cooperate with government critical infrastructure protection (CIP) programs but are actually doing so. Ninety percent "have engaged with their country's CIP programs to at least some degree, with 56 percent being significantly or completely engaged," according to the report. The energy sector has the highest engagement (83 percent); IT is the least engaged (49 percent).
Mark Bregman, Symantec's CTO, told me that although more large companies are engaged, even small companies are participating. "When it comes to emergency services, for example, we often forget small companies such as ambulance services. Over half of small, critical-infrastructure companies are engaged with government programs." In fact, Bregman says, the firms are enthusiastic about the programs as well. Unfortunately, small companies are also the worst prepared for threats.
The telephone survey of 1,580 private businesses that are part of the critical infrastructure was conducted in August. Responding firms in 15 countries had between 10 and over 10,000 employees (the median was between 1,000 and 2,499 employees).
-- James E. Powell
Editorial Director, ESJ
Posted by Jim Powell on 10/06/2010 at 11:53 AM