We’re putting a lot of technology in a lot more places these days, and we’re connecting it to the internet in the hopes of being able to see new patterns so we can change our lifestyles and businesses. This has opened up a huge attack surface. In the last two years, not only have a range of new threats come to light, but old threats have become more powerful, all of which has led experts to believe that the next big cyberattack could take down critical infrastructure — and it’s only a matter of time before it happens.
A new report out from security group Pwnie Express claims that 85 percent of the 500+ security professionals it surveyed believe that their country will suffer a major cyberattack on its critical infrastructure in the next five years. What’s even worse is that most of these respondents believe that the least prepared industries are those with the biggest ramifications for health and safety — public health, water and wastewater, and the energy sector. In many cases it’s not that these organizations are doing nothing, it’s that the threat is so large and new they don’t know where to begin.
Back in 2015, I was talking to the CEO of American Electric Power at a Fortune event, and he told me that the company had an entire floor of employees focused on cybersecurity vs. just a handful of employees a few years earlier. And those employees were constantly fending off attacks. But his focus at the time was centered more around protecting the organization’s computer networks. Now threats come over networked cameras or through hackers attaching a rogue thermostat to a network.
And as to the facilities that are getting connected, their IT operations staff are busy doing other things. The security folks Pwnie Express surveyed said their employers were more than twice as likely to have a security policy in place for IT devices than for IoT. If those companies do have a security policy, only a little more than one-third of their security pros said that they themselves are involved in checking that the devices are compliant, and two out of five said they either didn’t ensure devices were compliant or they weren’t sure if anyone in their organization checks if they are or not.