Greenbone Networks, a provider of vulnerability management, has revealed the findings of new research assessing critical infrastructure providers’ ability to operate during or in the wake of a cyberattack. The research, which was undertaken on Greenbone’s behalf by Frost & Sullivan, investigated the cyber resilience of organisations operating in the energy, finance, health, telecommunications, transport and water industries, located in the world’s five largest economies: UK, US, Germany, France and Japan. Of the 370 companies surveyed, only 36% had achieved a high level of cyber resilience.
To benchmark the cyber resilience of these critical infrastructure providers, the researchers assessed a number of criteria. These included their ability to manage a major cyberattack, their ability to mitigate the impact of an attack, whether they had the necessary skills to recover after an incident, as well as their best practices, policies and corporate culture.
Infrastructure providers in the US were the most likely to score highly, with 50% of companies considered highly resilient. In Europe, the figure was lower at 36%. In Japan, is was just 22%.
There were also marked differences between industry sectors, with highly-regulated organisations, such as finance and telecoms, most likely to be cyber resilient (both at 46%). Transport providers were the least likely to be considered highly resilient (22%), while energy providers (32%), health providers (34%) and water utilities (36%) were all close to the average.
Characteristics of a highly-resilient infrastructure provider
Those critical infrastructure providers which were benchmarked as highly resilient shared some key characteristics:
They are able to identify critical business processes, related assets and their vulnerabilities: Highly-resilient organisations thoroughly analyse their critical business processes and know which digital assets underpin these processes. They continuously check for vulnerabilities, taking appropriate measures to mitigate or close them.
They deploy cybersecurity architectures that are tailored to their business processes: This focus places them in a strong position to mitigate damage caused by an attack.
They have well-established and well-communicated best practices: The highest performing organisations have well-defined policies and best practices. For example, in 95% of highly-resilient organisations, the person responsible for managing a digital asset is also responsible for securing it. This level of expertise and responsibility allows organisations to close gaps and repair damage quickly.
They are more likely to seek third-party support: These companies are more likely to engage with specialist providers, not only to manage security technologies, but also to obtain advice. For example, they might employ consultants to help develop a security strategy for the company, select suitable technology, implement managed security services, establish metrics for success or calculate the business case for a security project.
They place greater importance on the ability to respond to cyber incidents and mitigate the impact on critical business processes: The ability to prevent cyber incidents is of secondary importance to highly-resilient organisations as they recognise attacks are inevitable. They are more likely to focus on procedures that lessen the impact of an attack or accelerate their ability to bounce back after an incident.
They prepare for attacks through simulation: They simulate various what-if scenarios in training sessions and also involve stakeholders outside the IT department. They also apply the same cybersecurity rules to all digital assets.
“Cyberattacks are inevitable so being able to firstly withstand them and then recover from them is vital. Nowhere is this more important than in the critical infrastructure industries where any loss or reduction in service could be devasting both socially and economically, so it’s a concern than only just over a third of providers are what we consider to be highly-resilient,” said Dirk Schrader, Cyber Resilience Architect at Greenbone Networks. “Being cyber resilient involves much more than having enough IT security budget or deploying the right technologies. We hope that – by highlighting the key characteristics of highly-resilient organisations – this research will provide a blueprint for others.”
The report is available to download from here.