Enterprises confident Chief Sustainability Officer (CSO) will improve cybersecurity

98% of enterprises want CSOs, but 56% of industrial businesses don't have plans to introduce one to their company, according to a new Kaspersky report.

istock-1006511470.jpg

Image: iStock

As the move to quell the spreading coronavirus, business made a quick switch--an office overhaul--and sent its workforce to do their duties remotely, which presented an entirely new series of security challenges. Nearly all (98%) enterprises believe cybersecurity will improve a sustainable development strategy and the specific role of a Chief Sustainability Officer (CSO), according to new research from Kaspersky's latest, "The State of Industrial Cybersecurity in the Era of Digitalization." 

ARC Advisory group conducted the survey on behalf of Kaspersky, which has produced reports with this title annually since 2017. The goal of it was to assess the state of industrial cybersecurity, its current priorities, and the challenges industrial organizations face. The results of the findings were compiled from the opinions of more than 330 industrial companies worldwide, with 10 industry reps consulted at ARC forums worldwide and at trade fairs.

Because of the unprecedented track of businesses during the COVID-19 pandemic, industrial companies were forced to prioritize cybersecurity. In 2019, 40% of large enterprises planned to report on cybersecurity risks to boards of directors annually, but this year, according to a Gartner report, 100% will do so. 

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Despite the overwhelmingly positive response for the enterprise to bring a CSO into their company, Kaspersky's research revealed that 56% of industrial businesses don't have plans to introduce a CSO, even though half of that 56% already have a CSO. The report also found that half (50%) plan to introduce technical measures as well as investments (44%) within the company's cybersecurity department. 

The report found that the pandemic impacted industrial businesses by

  • Increased levels of remote work (53%)
  • Reduced cybersecurity budgets (24%)
  • Developed cybersecurity plans for disasters (24%)

Tech trends

Industrial cybersecurity practices were forced into revision of security practices, including

  • Industrial IoT (55%)
  • Cloud and SaaS (55%)
  • Edge computing (36%)
  • 5G (33%)

The pandemic may have speeded plans for the industry's security, but it also introduced fresh challenges. Industrial control systems (ICS) manage physical processes, rather than data, the way corporate networks generally do. 

Physical assets, noted the report, can be manipulated, or even destroyed by cyberattacks, which criminal organizations now exploit. 

ICS and its automation components had not been a priority security risk previously, where ICS anomalies were caused because of user errors or defective hardware and software.

ICS cyberthreat challenges in 2020

ICS is reliant on the industry's connectivity, and because there is an exploitation from criminals, the answer is found in new security methods, which can detect attacks and initiate countermeasures.

Undesired production stoppages (34%), approvals taking too long (31%), and too many decision-makers' involvement (23%) are cited as why vulnerabilities can't be closed quickly.

The greatest challenges to ICS cybersecurity are accidents caused by hazardous substances (32%). Fatalities occur, for example, if safety systems are manipulated or turned off by hackers. 

Major challenges

Major challenges found are "damage of service quality, "loss of confidential information" and "mitigation costs." The last major challenge, "mitigation costs," was less of a critical issue in previous years, and it now requires special and occasionally expensive resources. 

External network scans increased as more employees are working from home. Despite the increased vulnerabilities, respondents (24%) found internal security practices need to be revisited during the pandemic, but only 15% suggested employees need special security training, as they work from home during the pandemic.

Poll results: Cybersecurity initiatives influenced by the COVID-19 pandemic

  • Reduced security budget after the crisis (24%)
  • Increased security budget after the crisis (due to endpoint and VPN protection, 7%)
  • Protective measures are delayed (23%)
  • Login credentials are being spied out (10%)
  • Increase in remote work (53%)
  • Develop a cyber secure work plan (24%)
  • Expects other effects (9%)
  • Increased training on OT/ICS threats (15%)
  • No direct impact on organization (12%)

The report recommends better preparation for lockdown working conditions, access of corporate networks limited to the use of company-owned devices only.

COVID-19 impacts the security posture of your company, but will policies change?

  • 46% Probably yes
  • 23% It's too early to assess
  • 22% I don't think so
  • 10% Probably not

Current cybersecurity policies are carried out during the pandemic

  • Annually (44%)
  • Less frequently (28%)
  • More often (13%)
  • Twice a year (11%)
  • None, no ongoing security policies (5%)

Current initiatives used now

  • Cybersecurity for digital OT related transformation (44%)
  • Managing cyberthreats (19%)
  • Better compliance with regulations (14%)
  • Better compliance with customers' security audits (6%)
  • Conduct cybersecurity audits (6%)
  • Other initiatives (4%)

Types of initiatives respondents are working 

  • Cybersecurity for digital OT related transformation (31%)
  • Managing cyberthreats (24%)
  • Better regulation compliance (23%
  • Better compliance with regulation (5%)

2020 ICS cyberthreat challenges

  • Due to product/service quality (28%)
  • Injury or death of employee (32%)
  • Loss of customer confidence (18%)
  • Equipment damage (16%)
  • Loss of proprietary or confidential information (28%)
  • Loss of contracts or business opportunities (4%)
  • Penalties/sanctions for not fulfilling regulatory requirements (4%)
  • Cost of incident response and mitigation (27%)
  • Damage to company brand or reputation (23%)
  • Injury or death or non-employees (18%)
  • Environmental damage (9%)
  • Criminal or civil liabilities (2%)
  • Violation of regulatory requirements (11%)
  • Impact on national security (2%)
  • 67% of respondents' opinion on who best to coordinate security initiates determined it is one or more employees from the IT security team.

Top three tech trends with most impact on cybersecurity:

  1. Use of industrial iOT companies (55%)
  2. Cloud and SaaS adoption (55%)
  3. Edge computing (36%)

Typical barriers/delays in the implementation of ICS security projects include too many decision-makers, which results in executions having been delayed (47%).

Gender representation: 57% of respondents said women are less represented and 42% said they are equally represented and 1% said they are more strongly represented in OT/ICS teams than in the rest of the company, and 85% said they'll choose anyone qualified, while 15% noted they aim to hire women.

Conclusion

The report suggests the implementation of "The Industrial Cybersecurity Maturity Model" as a viable method to dealing with the cybersecurity issues pushed to the forefront because of the pandemic.

This cybersecurity model for evolving technologies and architectures are the standards and guidelines by incorporating new OT technologies, edge gateways and new practices such as PKI and new strategies. Anomaly detection is one of the basic methods of detecting cyberattacks. End users can use the Industrial/OT cybersecurity maturity model to evaluate their cybersecurity programs and justify necessary investments to top management. Balance the discrepancy between technology investment and human resources.

Also see