- The healthcare and public health sector is the least prepared of the critical infrastructure industries for ransomware attacks and other types of cyberattacks, according to a recent Pwnie Express survey of 582 IT security professionals .
The water and wastewater systems sector and energy sector came in second and third least prepared, respectively. Other critical infrastructure sectors in the top ten of least prepared included transportation, food and agriculture, emergency services, government facilities, communications, commercial facilities, and nuclear power.
A full 85 percent of respondents said that a cyberattack on critical infrastructure will occur in the next five years.
As compared to last year, close to two-thirds of respondents are more concerned about connected device threats, with IoT devices at the top of the list. One in three report their organizations are unprepared to detect connected device threats.
“These devices pose additional layers of complexity and environmental exposure that traditional IT security measures are insufficient to handle. Our survey shows that security professionals are clearly anxious about this,” said Pwnie Express CEO Todd DeSisto.
Close to 60 percent of organizations suffered a malware attack in 2017, 32 percent experienced a ransomware attack, 30 percent were hit by a distributed denial of service attack, and more than 22 percent suffered attacks on wireless communications or access points.
While 21 percent of respondents said they experienced WannaCry attacks last year, about 18 percent said they did not have the tools to thwart WannaCry, with about 14 percent responding that they did not know if they did.
Respondents said that WannaCry was most dangerous for larger healthcare organizations because the malware targeted MRI scanners, blood storage refrigerators, and other medical equipment.
BYOD devices were a concern for 80 percent of respondents, yet fewer than 50 percent could monitor BYOD in real time.
The survey found that two times as many respondents had an IT security policy as had an IoT security policy. Furthermore, less than 50 percent of security professionals were involved in the purchasing approval process in three vulnerable categories: building, industrial, and consumer IoT.
Close to half of respondents were concerned about consumer IoT devices like smart watches and smart coffeemakers, while only 23 percent could monitor these types of devices on their network.
More than half of respondents were concerned about malicious or purpose-built rogue devices, but only 24 percent could monitor them in real time.
Close to half of organizations with more than 1,000 employees knew how many devices were connected to their networks as compared to 70 percent of small and medium-sized enterprises.
To address the growing threat, Pwnie Express suggested organizations take the following measures:
Recognize that poor cybersecurity threatens your organization’s brand
An overwhelming number of security pros said the largest impact of a cyberattack on their organization would be “negative brand perception.” More than one-third of respondents said brand perception was their biggest fear.
Involve security professionals in purchasing decisions for all connected devices
It seems like common sense that the experts should be consulted when device purchases are made. However, survey data showed that security pros were left out of the purchasing and clearance process as much as two-thirds of the time.
Furthermore, size of organization was not a factor. In fact, larger revenue producing companies were not as good at clearing device purchases as smaller ones.
Update security policy to include IoT devices
Many of the respondents said their employers were more than two times as likely to have an enforceable security policy in place for IT devices than for IoT. In the case that a security policy is in place, only a little more than one-third of security pros said that they are involved in checking that devices are compliant.
About 40 percent of respondents said either they did not ensure IoT devices were compliant or they were not sure that anyone in their organization checked.
“IoT has exponentially expanded the attack surface that organizations must identify, assess, and respond to,” DeSisto said. “Putting numbers on some of these issues will help CISOs clarify just how bad the security situation really is.”