Globally, oil & gas respondents detected an average of 7,432 incidents, a 30% decline over the year before. By subsector, upstream companies detected the fewest number of incidents while oil field services reported more than double that sum. This year phishing became the top vector of exploits, reported by 42% of respondents, while business email compromise and ransomware were cited as top business impacts.
After three years of growth, security budgets fell 14% to an average $5.4 million. This was not as large as the 23% reduction in IT spending. Downstream and integrated companies, however, invested considerably more in information security.
Oil & gas companies are integrating security for corporate IT (information technology) and process control networks (PCNs) in a variety of ways. This year, 62% of organizations have a single leader responsible for cybersecurity across corporate IT and PCNs and 40% say their cybersecurity incident response program encompasses both IT and operational technology (OT).
Almost two-thirds (64%) involve information security personnel in PCN initiatives. Many are working to improve PCN safeguards by performing security risk assessments, vulnerability scanning and penetration testing, and incident response testing.
Today, the vast majority of oil & gas companies employ cloud computing, with private cloud being the most common. As the cloud becomes increasingly secure, organizations are also running more sensitive workloads and data in the cloud.
What’s more, 62% of businesses are employing cloud-based managed security services to help integrate, manage and improve cybersecurity and privacy. Top uses include data loss prevention, monitoring and analytics, and authentication.
Oil & gas companies are moving toward a new cybersecurity and privacy model, one that relies on a range of security technologies that can be interconnected in the cloud. At the core of this approach are solutions like real-time monitoring and response, advanced authentication and open-source software.
Many are also investing in security for the Internet of Things. In fact, the top driver of security spending is the need to secure field assets such as IP-connected process control systems and devices.
As businesses partners and consumers become more concerned about how their sensitive data is gathered and shared—and governments step up scrutiny of how information is used across borders—data privacy has become a critical business requirement. Oil & gas respondents plan to address several privacy initiatives over the next 12 months, and privacy training and awareness is top of mind.
While more integrated firms currently require employees undergo privacy training, upstream and midstream businesses are most focused on improving training over the next 12 months. Oil field services respondents are least concerned about improving awareness of privacy.
"Commodity prices affected nearly all oil and gas company budgets for 2016, but cybersecurity was less impacted than many other areas. And while attacks on operational technology and embedded systems held steady, they were cited as primary drivers for security investments due to the business criticality of these systems. We also saw that companies continued to expand and integrate their cyberdefenses as business digitization moved forward."