The study was carried out by the Ponemon Institute for security firm Tenable; the data was culled from an initial study of 2,410 IT and IT security practitioners in the US, the UK, Germany, Australia, Mexico and Japan.
The responses of 701 companies that belong to the energy and utilities, health and pharmaceuticals, industrial and manufacturing and transportation sectors were extracted and used for the figures issued on Monday.
- C-level technology, security and risk officers are most involved in the evaluation of cyber risk as part of their organisation’s business risk management.
- Forty-eight percent in the OT sector (vs 38% in the non-OT sector) attempt to quantify the damage a cyber event could have on their business – and they’re most likely to quantify the impact based on downtime of OT systems.
- Concerns about third parties misusing or sharing confidential information and OT attacks resulting in downtime to plant and/or operational equipment increase when looking at 2019. Worries about nation-state attacks continue at a significant level. No definition was given as to what was considered "significant".
- Increasing communication with the C-suite and board of directors about cyber security threats facing the organisation and ensuring third parties have appropriate security practices to protect sensitive and confidential data are top priorities for 2019.
- The top 2019 security priority is to improve the ability to keep up with the sophistication and stealth of attackers. This isn’t surprising given the significant number of OT sector organisations that have suffered a nation-state attack in the past 24 months.
- Few organisations have sufficient visibility into their attack surface. Gaining required visibility will continue to be a challenge due to a combination of staff shortages and heavy reliance on manual processes. Only 20% said they had sufficient visibility into their organisations' attack surface.
Improve communication with the C-suite and board of directors about the cyber threats facing the organisation. This will help identify and address gaps among the organisation’s risk appetite and actual risk exposure.
Improve visibility into the attack surface. Blind spots can result in unmanaged and unsecured IT and OT systems. Complete visibility is required for organisations to assess their risk.
Increase the use of automated processes to compensate for the security staff shortage.
Continue to recognise the security impact of interdependencies between IT and OT systems. Vulnerabilities and other weaknesses in IT systems can put interconnected OT systems at risk, and vice versa.