Oil and gas executives are confident of their companies' ability to thwart information attacks; however, a recent PwC report found that companies are increasingly vulnerable to cyber attacks due to decreased budgets that have eroded security programs.

The report, 2013 Global State of Information Security Survey, received responses from more than 9,300 chief executives, chief financial officers, chief information officers, chief information security officers, chief security officers, vice presidents and directors of information technology and security. The survey found that while 42% of oil and gas executives that responded to the survey reported that their organizations had proactive security measures in place, a majority are over-confident in their security programs.

Although 76% of respondents were confident in the security measures in place at their organization, the majority of these programs are not capable of handling third-party security breaches.

At a time when companies are pulling back their budgets on information security, security threats are adapting. "Those keeping score agree that the bad guys appear to be in the lead," the report said. However, most of those questioned anticipate security budgets to be increased in 2013. Compared to the previous year's survey, PwC found that 16% more respondents had not made cuts to their security programs.

PwC found that one of the major obstacles that information technology and security departments face is that security budgets are not being driven by security needs. While 17% of respondents reported that security incidents had increased in the past 12 months, security spending was down in many companies. In fact, the survey found that staff dedicated to security awareness and training was at their lowest levels within oil and gas companies in five years.

This training is especially important, as companies are incorporating new technologies faster than they can protect them. This is especially true for mobile, social media and cloud-computing technologies.

More and more of these budgets are being determined, in large part, by economic conditions. "Economic conditions weigh in at 39% [of the budget decision-making]. That's down from recent years, but still a risky way to set priorities," the report noted.

In addition, most responses indicated that the funding for these security programs were geared toward addressing known security issues rather than focusing on enterprise-level security programs. Only 47% of respondents indicated enterprise security programs were in place within their organizations. This is the same percentage of respondents who have programs in place to address advanced persistent threats.

More than one-third of respondents stated that security measures are not being implemented into the planning of major projects. Instead, responses indicated that these measures were being put in place either in the implementation phase or on an as-needed basis.

This cannot only lead to vulnerabilities, but also leave the security and information departments with less knowledge than required or desired to ensure the best protection. "You can't succeed in today's elevated threat environment if you don't know the players and you don't know the rules," Gary Loveland, principal at PwC, said.

Based on this survey's findings, PwC recommends organizations incorporate risk-assessment strategies while seeking to find solutions to identified risks. These risks should be identified through evaluations of their information, who wants it and what they might do to get it.

Additionally, PwC recommends that companies look at information security not just as a way to protect their data, but also as a way to add value to their business.

Comments