Over the past four years, power and utilities businesses have steadily augmented their information security budgets. Security spending notched up 3% in 2016 over the year before, and has surged 53% since 2012. Similarly, information technology budgets have skyrocketed 62% over the past four years.
Despite steady increases in spending, the number of detected incidents has seesawed significantly, rising one year and falling the next. In 2016, power and utilities companies detected 24% fewer security incidents than the year before. Respondents are improving their ability to detect compromises by highly skilled threat actors such as terrorists, foreign nation-states and activists and hacktivists. They also reported new attack vectors and risks, including phishing schemes, business email compromise and ransomware.
Almost two-thirds (63%) of power and utilities respondents say that digitization of the business ecosystem has resulted in increases to cybersecurity investments in recent years. As the digital revolution continues, respondents plan to work together across business units to design new services, understand cyberthreats and proactively adopt the right cybersecurity and privacy safeguards.
Over the coming 12 months, power and utilities respondents say they will invest in cooperative priorities like aligning business objectives with information security strategy and improving collaboration among the business, digital and IT organizational units. Many are also implementing technologies such as digital enterprise architecture and advanced authentication to help build a strong foundation of digital capabilities and address new cybersecurity and privacy needs catalyzed by evolving business models.
Increasingly, power and utilities organizations are integrating common security safeguards for IT cybersecurity, physical security and operational technologies (OT) to reduce risks, boost efficiencies and help ensure safety.
Already, many businesses are well on their way toward aligning technologies, processes and people skills between IT and process control networks. Consider, for example, that 61% of respondents say they have a single leader responsible for cybersecurity across corporate IT systems and process control networks. What’s more, 63% say they involve information security personnel when building or enhancing process control network systems.
And to help marshal an integrated response to cybersecurity compromises, more than half of power and utilities respondents say their incident-response programs address both IT and OT systems. When it comes to physical security, more than one-third of respondents say they have implemented a common security strategy for physical security and cybersecurity.
As data privacy becomes an increasingly critical business requirement, power and utilities survey respondents say the top mission of their privacy function is to reduce the risk of privacy incidents—not compliance with industry regulators.
To get there, more than half (55%) have hired a Chief Privacy Officer. And when asked about privacy priorities for the coming year, respondents say the top two issues are addressing privacy policies and procedures and enhancing privacy training for employees. Businesses are also updating privacy policies and procedures for Big Data, data analytics or data de-identification. Externally, one in four respondents say their privacy function will address data privacy for the Internet of Things in the coming year. Specifically, many plan to implement policies and technologies to safeguard against consumer data-privacy violations associated with the Internet of Things.
Power and utilities businesses are deploying a raft of new technologies, processes and human skills to update their cybersecurity and privacy practices. To guide them, almost two-thirds (64%) say they have implemented a risk-based security framework, with the NIST Cybersecurity Framework and ISO 2700 series being the most popular. To address the human side of cybersecurity and privacy, half (50%) of respondents say they participate in industry or governmental information-sharing organizations.
Not surprisingly, deployment of new cybersecurity safeguards centers around technologies. For instance, businesses not only entrust cloud providers with IT services, but also with more sensitive data like marketing and sales, customer service and operations. What’s more, the vast majority of organizations leverage advanced authentication, and among those that do, top benefits include enhanced fraud protection and more secure online transactions.
Once new technology safeguards are in place, more than half (56%) of businesses employ managed security services to run and improve cybersecurity capabilities such as authentication, monitoring and analytics, and identity management. And while open-source software has been around for decades, 38% of respondents that employ the technology say it has improved their cybersecurity program.
After four consecutive years of information security budget increases, power and utilities businesses appear well-funded to tackle new challenges, implement collaborative processes and integrate operational technology security with IT cybersecurity. Opportunities remain in aligning security spend to business objectives and addressing advanced threats.