Deloitte: Energy, Resources Companies Make Progress on Security
June 5, 2008 // Published as a news service by IHS
Energy and resources businesses are working hard to improve their security and be one step ahead of the latest security threats, according to the 2008 Energy and Resources Global Security Survey from Deloitte Touche Tohmatsu.
Results indicate that human error remains the greatest threat and firms still need to get to grips with the latest available security technology.
"Companies have been developing their security practices and credible progress has been made," said Simon Owen, a member of Deloitte's U.K. enterprise risk services technology group.
According to the survey, a majority of companies (62%) are "very confident" they are safe from an external attack, while 41% said they are "very confident" they are safe from internal attack.
However, the need for security to remain a high priority is highlighted by the threats faced by business. Analysts said more than half of respondents (53%) suffered from an e-mail attack in the last 12 months and 44% have experienced repeated e-mail attacks.
"There are still issues E&R [energy and resource] companies need to address to improve their security," said Owen. "Lack of resources is cited by 40% of companies as the biggest barrier.
"Investment is another area where over half of companies (53%) feel they aren't on plan or ahead of the problem, due to their current level of expenditure. Lack of support is another issue and only half (53%) believe that senior management gives sufficient commitment to information security."
Survey responses indicate that companies fear external threats more than operational ones. Their greatest fear is social engineering, where individuals are duped into disclosing confidential data online.
Analysts said the most dangerous threat in fact comes from within, with 67% of companies citing "human error" as one of the root causes for security failures‚ putting it ahead of technology and operations.
One way companies can stay on top of their information security is by training their staff. Analysts said more than a quarter of organizations (29%) give their employees no training at all on information security or privacy issues, or how to identify suspicious activities. This is surprisingly low for a sector well-versed in training its people.
"To minimize the risks, organizations need to keep abreast of new security tools and their potential for improving security," Owen said. "The risks of disruption are further heightened by the fact that almost all respondents say that the security of their specific industry control systems - such as SCADA [supervisory control and data acquisition] - is critical to the success of their organization's business. Yet a majority of them have no program in place to assess that security."
Fortunately, the global survey reveals companies have developed a strong governance framework around their security. The majority of energy and resources organizations have appointed a chief information security officer. The majority of companies (72%) have information security governance frameworks and strategies in place.
Analysts said this senior leadership driving the information security governance framework reveals a long-term commitment to information security among energy and resources companies globally.
Other key findings from Deloitte include:
- More than half of energy and resources companies (55%), including critical utilities and infrastructure organizations, have a formal business continuity plan (BCP) in place.
- The survey found that although the majority of companies have some form of crisis management plan in place (81%), only a minority (27%) have specific crisis management teams or regularly test their crisis management plans.
Source: Deloitte Touche Tohmatsu (DTT).