A recent Tripwire survey found that only 17 percent of security professionals are confident in the U.S. government's ability to protect itself from cyberattacks this year.
The study surveyed more than 200 RSA Conference 2017 attendees and found that 80 percent of respondents said that they were more concerned about cybersecurity this year compared to last.
“People and organizations alike look to the government to set an example and lead the way on all sorts of issues, including cybersecurity,” Tripwire CTO David Meltzer wrote in a blog post. “What the results of this survey show is that seasoned cybersecurity professionals are not confident in the government's current cybersecurity strategy, and these worries can trickle down to the list of concerns for an enterprise.”
Meltzer told SC Media two key areas of improvement are foundational controls and ICS security and that if we raised the minimum bar for a breach to a higher level by making sure that every organization effectively mastered the "basics" of security, breaches would be significantly reduced. Meltzer has seen small scale levels of these attacks but a larger attack could have worse consequences.
“A large-scale attack could potentially disrupt power in a large population center for a long period of time or physically destroy equipment, but our biggest worry is the loss of human life from an attack,” he said.
Unpatched systems could result in breaches of physical systems in the ICS environment intending to cause harm such as attacks on the power grid, manufacturing plants, and even train derailments
When asked about the security posture of their own organizations, 60 percent reported being confident while 33 percent responded not confident. Forty-eight percent of respondents attributed the lack of confidence in their own firms to a lack of skilled people, while 30 percent attributed it inadequate process.
Intellectual property theft followed by brand reputation damage and legal exposure/lawsuits top the list of concerns if an organization lacked a robust security program.
“With high profile data breaches hitting companies' bottom lines, it's no surprise that financial loss is high up on the list of security professionals' concerns. It's encouraging to see that people recognize that bad security affects a company's brand reputation, as it means people care more about their security,” Meltzer said.
He added that the widely documented skills shortage that has already been identified as a pain point and that companies need to look to technology that increases automation in security to reduce the manual effort required of their employees.
Meltzer said there is no doubt we are at risk and that there are malicious people out there that are seeking to attack us while at the same time, the level of protection in place to protect our nation's most critical systems are strong in many cases.
“For example, while an attack on a municipal power grid substation or a small agency's website may be a true danger today, it would be much more difficult for an attacker to penetrate a nuclear plant with a breach,” he said.