Our SVP Security Strategy and Alliances, Garry Sidaway, blogged last week about organizations’ lack of progress in cybersecurity, which is particularly concerning given the rapid advance in the techniques of cyber wrongdoers.

These findings are based on research of over 2,250 organizations, which we undertook in February and March this year, and published in part in the Risk:Value Report 2019.

As part of the report, we benchmark organizations on cybersecurity best practice, giving a rating of between -41 (worst) and +27 (best). Unfortunately, the average is the same in 2019 as 2018 – at just +3 – showing that there has been no progress on average in the last year.

Diving further into the data, we see that some countries and sectors are improving, and some are weakening. Companies in India, USA and UK are performing better than average, scoring +6, +5 and +5 respectively. Towards the bottom end of the scale, Germany has weakened to 0 (down two points year-on-year), and Singapore and France both slid to just +1, putting them firmly in the bottom half for cybersecurity best practice.

Analysing the data by business activity, the average scores of companies operating in sectors that provide critical national infrastructure is concerning. This year:

·       Financial services dropped one point to +4

·       Telecoms companies weakened one point to +2

·       Oil and gas weakened one point to +2

·       Private sector healthcare (including hospitals) dropped one point to +2

·       The utilities sector (including electricity and water) remained static at +2

·       Transport and distribution companies (which covers transport operators) remain rooted as the second weakest sector, with just +1.

The financial services sector in itself faces 17% of attacks globally, according to our Global Threat Intelligence Report 2019, but no sector is immune. 

We know that recognition of threats to critical national infrastructure is high: cyber attacks on critical infrastructure is rated by organizations as the fourth biggest risk in the next 12 months, ahead of skills shortages, barriers to international trade and terrorism and war.

So what’s going wrong in these sectors? To pick three data points:

·       Less than half of transport and distribution companies, telecoms companies and utilities have a full cybersecurity policy in place

·       Less than half of transport and distribution, private healthcare, oil and gas, telecoms and utilities companies have an incident response plan

·       More than half of oil and gas companies don’t have adequate resources/skills in-house to cope with the number of security threats

These results echo the report narrative that, although organizations are aware of cyber risk and want to address it, they are often failing to do so.

Is this a cause for concern? Certainly. The threat landscape increases in severity and complexity and critical national infrastructure attacks occur more frequently. More businesses and citizens will be impacted if best practice does not improve.

A major area of focus to secure critical national infrastructure is Operational Technology (OT). While many so-called Internet of Things (IoT) devices are becoming better protected and often fall within the remit of organizational IT teams, as operational systems become more widely connected (not necessarily by internet protocol), they open up a new attack vector. Legacy protocols and infrequent patching leave vulnerabilities. We talked about the risk to OT in our annual predictions for 2019.

Government policy and incentives, skills initiatives, culture, awareness, risk assessments and incident response planning as well as the right technological solutions supported by Artificial Intelligence (AI) can all play their part.

I was going to write that the performance of organizations in critical national infrastructure sectors surprised me, but I will not because I am not surprised. Companies in these sectors face many of the same challenges that we all face, particularly around people, organizational culture and the governance of risk. It is simply that the consequences of failure are more profound.