MOUNTAIN VIEW, Calif. – October 6, 2010 – Symantec Corp. (Nasdaq: SYMC) today released the findings of its 2010 Critical Information Infrastructure Protection (CIP) Survey, which highlights that 53 percent of critical infrastructure providers report that their networks have experienced what they perceived as politically motivated cyber attacks. Participants claimed to have experienced such an attack on an average of 10 times in the past five years, incurring an average cost of $850,000 during a period of five years to their businesses. Survey participants from the energy industry reported that they were best prepared for such an attack, while participants from the communications industry reported that they were the least prepared. Critical infrastructure providers represent industries that are of such importance either to a nation’s economy or society that if their cyber networks were successfully attacked and damaged, the result would threaten national security.
“Critical infrastructure protection is not just a government issue. In countries where the majority of a nation’s critical infrastructure is owned by private corporations, in addition to large enterprises, there is also the presence of small and medium-sized businesses,” said Justin Somaini, chief information security officer at Symantec Corp. “Security alone is not enough for critical infrastructure providers of all sizes to withstand today’s cyber attacks. The Stuxnet worm that is targeting energy companies around the world represents the advanced kind of threats that require security, storage, and back-up solutions, along with authentication and access control processes to be in place for true network resiliency.”
- Critical infrastructure providers are being attacked. Fifty-three percent of companies suspected they had experienced an attack waged with a specific political goal in mind. Of those hit, the typical company reported being attacked 10 times in the past five years. Forty-eight percent expect attacks in the next year and 80 percent believe the frequency of such attacks is increasing.
- Attacks are effective and costly. Respondents estimated that three in five attacks were somewhat to extremely effective. The average cost of these attacks was $850,000.
- Industry is willing to partner with government on CIP. Nearly all of the companies (90 percent) said they have engaged with their government’s CIP program, with 56 percent being significantly or completely engaged. In addition, two-thirds have positive attitudes about programs and are somewhat to completely willing to cooperate with their government on CIP.
- Room for readiness improvement. Only one-third of critical infrastructure providers feel extremely prepared against all types of attacks and 31 percent felt less than somewhat prepared. Respondents cited security training, awareness and comprehension of threats by executive management, endpoint security measures, security response, and security audits as the safeguards that needed the most improvement. Finally, small companies reported being the most unprepared.
Recommendations to ensure resiliency against critical infrastructure cyber attacks:
- Develop and enforce IT policies and automate compliance processes. By prioritizing risks and defining policies that span across all locations, organizations can enforce policies through built-in automation and workflow and not only identify threats but remediate incidents as they occur or anticipate them before they happen.
- Protect information proactively by taking an information-centric approach. Taking a content-aware approach to protecting information is key in knowing who owns the information, where sensitive information resides, who has access, and how to protect it as it is coming in or leaving your organization. Utilize encryption to secure sensitive information and prohibit access by unauthorized individuals.
- Authenticate identities by leveraging solutions that allow businesses to ensure only authorized personnel have access to systems. Authentication also enables organizations to protect public facing assets by ensuring the true identity of a device, system, or application is authentic. This prevents individuals from accidentally disclosing credentials to an attack site and from attaching unauthorized devices to the infrastructure.
- Manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.
- Protect the infrastructure by securing endpoints, messaging and Web environments. In addition, defending critical internal servers and implementing the ability to back up and recover data should be priorities. Organizations also need the visibility and security intelligence to respond to threats rapidly.
- Ensure 24x7 availability. Organizations should implement testing methods that are non-disruptive and they can reduce complexity by automating failover. Virtual environments should be treated the same as a physical environment, showing the need for organizations to adopt more cross-platform and cross-environment tools, or standardize on fewer platforms.
- Develop an information management strategy that includes an information retention plan and policies. Organizations need to stop using backup for archiving and legal holds, implement deduplication everywhere to free resources, use a full-featured archive system and deploy data loss prevention technologies.
Recommendations for governments to promote critical infrastructure protection:
- Governments should continue to make resources available to establish critical infrastructure protection programs.
- The majority of critical infrastructure providers confirm that they are aware of critical infrastructure programs.
- Furthermore, a majority of critical infrastructure providers support efforts by the government to develop protection programs.
- Governments should partner with industry associations to develop and disseminate information to raise awareness of CIP organizations and plans. Specific information should include how a response would work in the face of a national cyber attack, what the roles of government and industry would be, who the specific contacts are for various industries at a regional and national level, and how government and private business would share information in the event of an emergency.
- Governments should emphasize that security alone is not enough to stay resilient in the face of today’s cyber attacks. In addition, critical infrastructure providers and enterprises in general should also ensure that their information is stored, backed up, organized, prioritized, and that proper identity and access control processes are in place.
The survey was conducted in August 2010 and is based on 1,580 responses from 15 countries and six industries categorized as critical infrastructure providers.
Connect with Symantec
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.
Note to Editors: If you would like additional information on Symantec Corporation and its products, please visit the Symantec News Room at http://www.symantec.com/news. All prices noted are in U.S. dollars and are valid only in the United States.
Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
TECHNORATI TAGS: Symantec, Critical Infrastructure Protection, Cyber Attacks, Internet Security, Information Management, Data Loss Prevention