CIOs and CISOs have been found to harbour a false sense of confidence when asked about their organisation’s security
Despite a series of major attacks against critical infrastructure in the energy and healthcare sectors, San Jose-based Skybox Security’s survey found that information security experts still have a false sense of security regarding the cyber risks their organisations’ OT is exposed to. 73 per cent of CIOs and CISOs participating in the survey were convinced that their companies won’t experience any cyber-attacks in the future, although 83 per cent of the critical infrastructure organisations they are working for have already suffered breaches previously.
OT or operational technology refers to the hardware and software used to monitor or control physical devices or processes mostly in industrial settings. Devices in OT systems traditionally have more autonomy than those in IT. They also differ from the latter in that access to them is much more limited and they may not get updated for months or even years. Although the line between IT and OT is becoming more fluid, cybersecurity approaches to them remain radically different.
Cyber insurance, according to Skybox Security’s survey, remains to be the main pillar of companies’ defences against cyber risk in 40 per cent of the cases despite the concept of due diligence slowly gaining ground.
The main challenges that the 179 US, UK, German and Australian OT security decision-makers participating in the survey have listed include network complexity, functional silos, supply chain vulnerabilities and limited remediation opportunities. The report has also revealed that compliance with existing regulations, although high on OT security professionals’ agenda, doesn’t guarantee protection against threat vectors despite beliefs to the contrary, and therefore regulatory requirements will need to increase. Moreover, more than third of OT security leaders said that it’s the inability to conduct path analysis to understand their exposure that stands in the way of making their systems more robust, and almost half of them continue to see disjointed architecture across OT and IT environments as a factor highly constraining their security efforts.