Compared to 2010, companies surveyed this year showed a CIP participation index of 82% in government programs, down 18 points from the 100% base level set last year, Symantec’s 2011 CIP survey found. In addition, the threat index, which measures the external threat perception of respondents, dropped 29% from the 100% base level in 2010, while the readiness index dropped to 10% from the 100% base level last year.
“What that tells us is there are likely issues surrounding budget and day-to-day operations factors in those companies that are drawing their attention away from government critical infrastructure programs”, said Dean Turner, director of Symantec’s global intelligence network.
“When we take a look at the Nitro and Duqu attacks, and some of the continued fallout from Stuxnet, what is happening is that the threats and potential impact of those threats are increasing but survey participants are not necessarily paying attention to the threat landscape or government CIP programs”, Turner told Infosecurity.
The survey of 3,475 organizations from around the world in 14 CIP industries was conducted by Applied Research for Symantec.
According to the survey, 36% of respondents were somewhat or completely aware of the government critical infrastructure plans being discussed in their country compared to 55% last year. In 2011, 37% of companies were completely or significantly engaged, versus 56% in 2010.
The survey also revealed that companies are more ambivalent in 2011 than they were in 2010 about government CIP programs. For example, when asked their opinion about government CIP programs, 42% had no opinion or were neutral. Also, companies were slightly less willing to cooperate with CIP programs this year than they were one year ago (57% versus 66%).
Overall CIP readiness on a global scale fell an average of eight points (from 60% to 63% in 2011 compared with 68% to 70% in 2010).
“There is clearly a disconnect between the severity of the threats we are seeing today and the attention being paid to best practices and tools needed to defend against those threats....We are talking about highly targeted threats that are looking to steal the keys to the kingdom; we are talking about intellectual property, design documents, and industrial control systems”, warned Turner.
Symantec offered a number of recommendations for CIP companies to improve their security: develop and enforce IT policies and automate compliance processes; adopt a proactive, information-centric approach to protecting information and interactions; manage systems by implementing secure operating environments; protect infrastructure by securing endpoints, messaging, and web environments; ensure redundancy and 24x7 availability; and develop an information management strategy that includes an information retention plan and policies.