Industrial executives have finally gotten with the modern-day times and have begun increasing spending on security, significantly improving their technology safeguards, processes, and strategies.
Unfortunately, they’re still a step behind their adversaries, maybe even two or three steps behind, according to a recent PwC study.
And a pair of industry experts tell Industry Today that the consequences of lagging behind are dire – if not now, then soon.
“It has been a bit of a latent issue because many old line, heavier manufacturers didn’t see themselves as rich targets or high-profile targets when it comes to cyber security threats, but there are a lot of attributes to those companies that might be appealing to rivals that was never thought about before,” says Bob McCutcheon, PwC’s U.S. Industrial Products leader.
“Over the years manufacturing has not been proactive in thinking about the risk of those threats as other higher profile industries, like aerospace, defense, technology, and financial services,” he adds. “Many of these manufacturers are now beginning to realize that maybe they do have more vulnerabilities than they originally believed.”
This realization is triggering a surge in security-related spending, according to PwC’s aforementioned survey, titled The Global State of Information Security. The study, which included the responses of more than 600 industrial executives, says that industrial products security budgets average $4 million this year, double from what was reported last year.
This is spearheading a false sense of security, the survey suggests.
For instance, 82 percent of CEOs surveyed say they are confident in their company’s security program. The same percent of CISOs – those with direct responsibility for security – said the same.
Furthermore, 46 percent of respondents consider themselves “front-runners,” or those ahead of the pack in strategy and security practices. The number of respondents who say they have an effective strategy in place and are proactive in executing the plan increased 14 percent from last year.
But merely 26 percent say that they are better at getting the strategy right than executing the plan, the study says, adding that there are far fewer leaders in security than front-runners.
The study measured industrial products respondents’ self-appraisal against four key criteria to filter for leadership. To qualify, organizations must:
- Have an overall information security strategy;
- Employ a CISO or equivalent who reports to the CEO, CFO, COO, CRO, or legal counsel;
- Have measured and reviewed the effectiveness of security within the past year;
- Understand exactly what type of security events have occurred in the past year.
The end result, according to the survey’s findings, is that just 15 percent of respondents are true leaders in security.
This is particularly alarming as a greater number of sophisticated intruders are bypassing perimeter defenses to carry out dynamic attacks that are highly targeted and difficult to detect thanks to inadequate or dated security strategies, says McCutcheon.
“I’ve spent a lot of time over the last several months focusing on this being a potential mega trend and it is something that’s going to consume a lot of dialogue in the executive suites and the boardrooms over in the coming year,” McCutcheon continues. “It’s more and more on the front of the mind today.”
Here’s why, according to the study: Respondents detected 101 percent more security incidents – from 872 in 2012 to 1,756 in 2013 – in the past 12 months.
“They’re starting to detect more incidents as a result of increased capabilities,” McCutcheon says. “Those incidents were already happening, but executives are just becoming more aware of them now.”
Not aware enough, it seems. Surprisingly, the study says 16 percent of respondents didn’t know the number of incidents was rising on a yearly basis.
Meanwhile, the average financial losses reported are up 64 percent over last year, emphasizing the cost and complexity of responding to threats. About 8 percent of respondents reported losses of $10 million.
And compromise of employee and customer data were most often impacted by security breaches, PwC’s findings show. McCutcheon says that can endanger a company’s most valuable relationships.
“Insiders, particularly current or former employees, are cited as a source of security incidents by most industrial products respondents,” the study explains, adding that hackers accounted for 28 percent of security incidents in 2013. “It’s the people you know—current and former employees, as well as other insiders—who are most likely to perpetrate security incidents.”
Most respondents have deployed traditional security tools – like the deployment of “block and tackle” programs – to thwart security violations. Frequent types of safeguards and security processes include application firewalls, malware or virus-protection software, encryption of desktops computers, and web content filters.
Unfortunately, they’re commonly ineffective in stopping today’s technologically-advanced threats.
Safeguards that monitor data and provide real-time intelligence can do that, but according to the study, they are less likely to be used than the traditional safeguards mentioned above.
And many companies do not properly safeguard their high-value information.
“If you look at the more advanced capabilities, they’re not in place yet,” Quentin Orr, a managing director in PwC’s Security practice says. “Other industries started implementing these types of advanced capabilities several years ago, but we haven’t seen industrial products companies catch up with this quite yet.”
Companies also lack the proper implementation of basic policies to protect intellectual property.
“I say that one of the biggest issues in this sector is that they often don’t know or haven’t even defined clearly what their information assets are, and so you can’t really provide advanced and focused protection over those assets if you haven’t yet defined it or inventoried it,” Orr explains.
Elevating risks has been a lack of collaboration within the industry and the lack of security to safeguard against hot-button technologies like cloud computing, mobility, and BYOD, many of which are utilized before they are secured.
“There are a lot of insecure devices or insecure cloud solutions floating around out there because the businesses got ahead of the central IT functions,” Orr says. “A lot of technologies exist to secure these devices.”
WHAT TO DO?
Executives are now taking action, aligning security with business needs, improving communications, and setting standards for external partners. They’ve also invested in added technology safeguards to shield their ecosystems against evolving threats, bringing into line security spending and policies with business objectives.
But there needs to be more, the study suggests, including:
- A well-written security policy;
- Ongoing monitoring of the data-privacy program;
- Accurate inventory of where personal data of employees and customers is collected, transmitted, and stored;
- Internal and external risk assessments of privacy, security, confidentiality, and integrity of electronic and paper records;
- More personnel background checks;
- The start of an employee security awareness training program;
- Requiring of all employees and third parties to comply with privacy policies.
And, perhaps above all else, make security more than just an IT problem, Orr says.
“The first thing is companies need someone to lead this initiative, a top executive,” he says. “We’ve seen time and again that if you get the right security executive on the executive team, that individual will be integrated into the business, see where the business is going, and make the case why they should spend more.”
He adds that it’s common for a client of his to see spending go up and security strategy improve because a new information security officer arrived with the knowhow of working with the business to get them to understand where they need to spend.
“Before they had someone like that, it was the tenth priority on a list of many for the CIO,” Orr says. “Maybe you had a technician in there talking about security, but you didn’t have an executive really operating at that level, helping them understand where they need to go. That’s the key.”
About PwC’s Advisory Practice
PwC’s Advisory professionals across consulting, deals and forensics create value for our clients by helping them address their most complex business issues, from strategy through execution. We understand our clients’ industries and unique business challenges, and look across the entire organization—focusing on strategy, structure, people, process and technology—to help clients build their next competitive advantage. Our firm’s global network of assurance, tax and advisory professionals means that we can bring the right skills and capabilities to help our clients achieve success anywhere around the world.