The results of a WSJ Pro Research survey of information security officers throw up a red alert that South Africa’s already challenging business environment is at greater risk of cyberattacks. The survey found that retail and manufacturing – two of SA’s biggest job-creating industries – and government computer are most at risk of cyberattacks. And small businesses, which are already bearing the brunt of Covid-19, are ill-prepared to withstand an attack of any kind. Earlier this year the World Economic Forum listed cyberattacks as one of the top-10 risks facing the world in 2020. Cybercriminals are always taking advantage of chaos to step up their attacks as was illustrated by the criminal cyberattack on South African private healthcare group Life Healthcare some two weeks ago. And as work-from-home employees are sitting ducks for hackers to gain access to company networks, SA Inc can no longer afford to take the ostrich route and stick their proverbial heads in the sand. – Fadia Salie
The industries most vulnerable to cyberattacks — and why
By Rob Sloan
(Wall Street Journal) – A number of important industries are dangerously vulnerable to cyberattacks. Small businesses are far less prepared than big ones. And plenty of companies aren’t taking basic steps to improve their readiness, leaving them exposed to breaches that can threaten their existence.
___STEADY_PAYWALL___
These are some of the findings from a survey of information security officers at nearly 400 companies by WSJ Pro Research. The survey offers a revealing snapshot of the state of cybersecurity — in particular, what kinds of companies are unprepared and why.
The results are a wake-up call for industries that need to get their act together. And they provide a road map for what slow-moving companies need to do to make sure they protect their at-risk assets. The price of not doing so could be high, and perhaps devastating.
“Even today, after so many documented cyber incidents, some businesses lag behind in their preparation or, worse, they react in knee-jerk ways to today’s incident with no vision or strategy to address tomorrow’s,” says Alan Levine, chairman of the advisory board for Carnegie Mellon University’s chief information security officer program.
Mr. Levine, who spent 20 years as the chief information security officer at Alcoa Inc. and its successor, Arconic Corp., says there are too many “ostrich” organizations that have their heads in a hole. “They need to look up, look around and see cybersecurity as an organizational imperative regardless of sector.”
Survey results
WSJ Pro Research, which provides data and research as part of The Wall Street Journal’s professional information offerings, surveyed information-security executives across different sectors and company sizes to see how they view the risks they face and the steps they are taking to protect their data.
Some of the key findings:
• Organizations aren’t necessarily prepared for the threats they are most concerned about. Ransomware was highly concerning, for instance, with nearly 80% viewing it as high risk, but just under 70% felt prepared to deal with it.
• Manufacturing, government and retailing were behind other industries in important areas. Fewer than two-thirds of manufacturers and retailers have any cybersecurity program. Retailers were least likely to feel prepared to defend themselves against ransomware attacks. Government departments were also among the least prepared for ransomware attacks and well below average in offering cybersecurity training to their executives, as well as in identifying critical data. By contrast, health care reported surprisingly strong preparedness.
• Small companies tended to lag behind large ones in preparedness. For instance, only 63% of companies with under $50 million in revenue have a cybersecurity program, in contrast to 81% of companies with over $1 billion in revenue. More concerning, 15% of smaller companies have no plan to put a cybersecurity program in place. In addition, the very largest businesses were almost twice as likely to already hold cyber insurance than the very smallest businesses—39% of which had no plans to buy a policy in the next 12 months.
Critical Gap
A constant barrage
The findings come at a critical time for businesses. Not only are they grappling with the pandemic and economic crisis, but cybercriminals have taken advantage of the chaos to step up their attacks. Forty-two percent of companies have faced an attack in the past year, the survey found.
And break-ins can be disastrous. They often impose large costs, waste time and resources, pose a big risk to a company’s reputation and brand — and can affect perceptions of a whole sector.
Yet cyber risks are stubbornly hard to address. Many executives fail to prioritize the problem or even to understand it. The subject can be complex and technical, the demand for talent outweighs the supply, and solutions can be expensive.
There is no single way to define what preparedness looks like, but it includes the ability to detect and respond to breaches, as well as develop a security-conscious workforce. The survey focused on eight measures of readiness, including having a cybersecurity program, identifying critical data that need protecting, training employees and company leaders, and having cyber insurance.
Several measures were found to be crucial indicators for how prepared a company is to deal with cyber risks.
Companies with cyber insurance, for instance, were likely to perform better on other aspects of preparedness. Simply having insurance suggests businesses have assessed their risk, understand their critical data assets and are aware of the potential for disruption if attacked.
The businesses may also be making efforts to decrease their insurance premium by taking risk-reduction measures.
Somewhat less common, but equally important, is delivering tailored cybersecurity training to executives, who are often targeted by cybercriminals for the extensive data to which they have access.
For example, companies that conducted executive-level training were more likely to have identified and protected critical data (84% over the 72% average), to have insurance coverage (63% over 51%) and far more likely to have an incident-response plan (84% over 70%).
Preparation gap
The survey highlighted the gaps between companies’ perception of certain threats and how prepared companies feel they are to defend themselves. Ransomware — malicious software used by criminals to hijack computers and extort the user — is considered high risk by 78% of companies surveyed, but just under 70% of respondents in the survey said they believed they are well prepared to deal with such attacks. By contrast, nearly 80% of companies felt well prepared to deal with malware, another threat considered high risk.
Progress report
Another challenging area for all companies was assessing the effect of attacks on an organization’s supply chain or third-party suppliers. More than 70% of all organizations saw it as a major threat, but less than 60% felt prepared. Only 62% of larger businesses — those with revenue of more than $250 million — were able to quantify and qualify the risk to or from their suppliers, though this was better than the 42% of the country’s smallest firms. Even financial-services firms—often considered the most advanced in cybersecurity — lagged behind, with only six out of 10 firms managing the risk well.
Vulnerable industries
The survey also demonstrated how companies’ vulnerabilities — and their progress in addressing them — varied across different industries.
Industrial and manufacturing firms are struggling with third-party risk, with just over half having an understanding of those risks that could affect their operations. Fewer than two-thirds of manufacturers have a cybersecurity program, and the sector came out at the bottom in having an incident-response plan, a step that suggests readiness to respond when an attack does occur.
Furthermore, greater percentages of manufacturing companies said they were not planning to implement improvements in important areas anytime in the next 12 months. For example, 63% of manufacturers currently have no cyber insurance, and 37% have no plans to purchase coverage within the next 12 months. Cybersecurity training isn’t in the plans for manufacturers for the coming year, either: Twenty-two percent don’t intend to implement employee training, and 26% said executive training won’t happen. And 15% have no plans to identify critical data worth protecting in the next year.
Manufacturing lines and industrial processes often run on operating systems or industrial-control systems that no longer receive security updates due to the age of the software. Taking systems offline for maintenance can be prohibitively expensive or disruptive to operations. “[They] often rely on legacy infrastructure and applications that require unsupported platforms for continued operations,” says Andrew Rubin, CEO and co-founder of Illumio, a Sunnyvale, Calif., cybersecurity company. As a result, many manufacturers struggle to create effective cybersecurity strategies and controls.
Automation and the implementation of Internet of Things devices into industrial environments are introducing new risks to manage and more places for hackers to strike. Mr. Rubin says more breaches are starting to prompt greater awareness of the risks in manufacturing. “Failures are propelling action,” he says. “Compromises and data loss among manufacturers are driving a desire to transform.”
Among the industries least prepared for ransomware is retail, where only 62% of companies were confident they are prepared to defend themselves against such attacks. Large databases about customers and loyalty-program members make retailers a prime target for cybercriminals, says Mun Valiji, former Group CISO of Sainsbury’s supermarkets, a major U.K.-based retailer, who left his post in March.
Even as the industry grows far more digital, retailers have been reluctant to add security measures that will affect customers’ experience on their e-commerce sites. “There is a very fine line between delivering an awesome customer experience online and striking the right security balance,” Mr. Valiji says.
Government departments at a local and federal level were also weak in some areas. For instance, they showed less confidence than most sectors in their own preparedness for ransomware attacks. Government agencies, along with construction companies, were also well below the 58% average of companies that offer executive training in cybersecurity, with only around 42% of both sectors saying they deliver the training.
The large amounts of personal data local government agencies often hold make them tempting targets for attackers, but tight budgets restrict access to cutting-edge security technologies and mean they are unable to compete with the higher salaries on offer in the private sector. In early June, cybersecurity-news website Krebsonsecurity.com reported the city of Florence in Alabama paid a ransom of $291,000 after criminals locked up the city’s IT systems. The city’s mayor confirmed the attack and payment.
The health-care sector reported far less vulnerability than other areas. Health care is sometimes seen as one of the most targeted sectors. Yet, while 63% of construction and infrastructure companies admitted cybersecurity breaches on one or more occasions in the past 12 months, only 17% of health-care organizations said they had been compromised.
“We think the reduction is due to a combination of factors, including improvements in the cybersecurity posture of health-care organizations,” says Dave Wong, vice president with cyber-incident response provider Mandiant, a division of FireEye Inc., “but the behavior of attackers had also changed.”
In 2017, health care was the third-most-targeted sector, according to Mandiant’s annual threat report. By 2019, security improvements and evolution of the attackers’ tactics led to the sector dropping to eighth place. Cybercriminals follow the money, Mr. Wong says, and when fewer ransoms were being paid, they shifted their focus elsewhere. “Ransomware operators previously targeted hospitals knowing that the operational disruption could potentially cost patients’ lives,” he says. “Now, the same ransomware operators target larger companies with deeper pockets.”
Security preparedness also varied by business size, with smaller companies lagging behind larger ones in a number of areas. Only 63% of companies with under $50 million in revenue have a cybersecurity program, in contrast to 81% of companies with over $1 billion in revenue.
A lack of cybersecurity preparedness in the small to medium-size business sector can affect other businesses. Within supply chains, a supplier could be used as a steppingstone to compromise the customer’s network, as happened in the 2013 breach of Target Corp., where hackers gained access to the company’s network via an HVAC supplier. Also, attacks that cause operational disruption could have a knock-on effect on customer operations.
Prioritized defenses
The survey highlighted a number of areas where companies are making progress in protecting their at-risk assets.
One critical aspect of a cybersecurity program is the identification and protection of a company’s critical data assets. If the confidentiality of the critical data assets is lost, the integrity of the data is compromised or the data is no longer available, disruption will be significant. Across all businesses in the survey, 72% have completed an assessment of what data is critical and have taken steps to protect it. A further 22% plan to conduct such a review in the coming 12 months.
Cyber insurance is another key area. Overall, 51% of all businesses had purchased cyber-insurance coverage, and a further 24% planned to purchase coverage in the coming 12 months.
Preparedness Indicators
Still, many small businesses choose not to take on coverage, says James Trainor, senior vice president at Aon Cyber Solutions, a unit of insurance provider Aon PLC. “Small businesses often don’t have the resources — financial or personnel — to conduct a robust cyber assessment and risk-quantification process,” he says. But he also was concerned over the 35% of large companies that didn’t already hold cyber insurance, citing the potential for catastrophic losses. “I’m not sure how a board is exercising its fiduciary responsibility to protect its shareholders and the firm from this growing risk without cyber insurance,” he says.
When it comes to training and awareness, the data show 68% of companies are educating employees. But 45% of businesses under $50 million in revenue have not yet implemented training.
Somewhat less common, but equally important, is delivering training to executives. Government agencies and construction companies are well below the 58% average, with only around 42% of both sectors saying they deliver the training.
Training executives is less generic than training users at a large scale. The messaging must be driven by the unique set of risks and threats faced by individuals and companies, and the strategies that should be employed to counter those risks. Such training, regardless of industry, is “a very nuanced conversation,” says Jason Hoenich, president of cybersecurity company Habitu8.
“Good cybersecurity begins with good leadership, and these functions are best led by a chief information officer who is trained, informed and capable,” says Mr. Levine of Carnegie Mellon. A CISO’s role, he says, is “to see the circumference of the organizational wheel, to understand every single place where good cybersecurity strategy can make a positive difference for the organization.” He adds: “Good leaders know their current state, define a better state, and design a path to get from here to there.”
Mr. Sloan is research director at WSJ Pro Research. He can be reached at [email protected].
