Critical Infrastructure is the Weakest Link
Let’s peel the proverbial onion back a bit. One key indicator of an organization’s emphasis on digital transformation is how much money they spend on Information Technology (IT) as a percentage of their revenue. The idea being that you need to up-level your technology to benefit from the agility, efficiencies and scale promised by digital transformation.
In a 2020 CIO Insider Report, a study by professional services firm Deloitte showed that the top industries in terms of IT spending were:
- Banking and securities
- Technology and telecommunications
- Insurance
- Business and professional services
- Education and non-profits
- Travel, media and hospitality
- Healthcare services
Each of these industries were well above the average in IT spending. Now go back to the largest data breaches in history, and you’ll find several of these industries on in the list. How could this be?
It’s because security is often overlooked during digital transformations. Global consulting firm McKinsey did a study that highlighted this exact fact. They found that security is not often a central part of transformation. It’s included, but usually later in the process. So, while organizations may be increasing their investment in IT, it doesn’t automatically mean they’re increasing their investment in cybersecurity.
Today, the most notable breaches – at least those that are known publicly (since there are far more attacks that aren’t reported) – are related to critical infrastructure. There has been a significant uptick in ransomware attacks on energy and utilities companies, manufacturing and even transportation companies.
Why the sudden shift? The logical reason is that these industries, according to the same Deloitte report, are among the lowest in terms of IT spending. They spend less on IT and therefore even less on security. This is deeply concerning. We consistently hear from customers that budgets are tight and they have to find money to support increases in security spending.
Now, some point out that the recent attacks on Colonial Pipeline, JBS and others didn’t directly impact the Operational Technology (OT) networks – the networks that monitor and control industrial equipment, assets, processes, and so on. These networks were shut down out of an abundance of precaution to prevent further threats, or to prevent an indirect impact of the attack on OT systems.
So far, it would appear that fewer attacks have been successful in targeting OT environments. Yet these IT attacks are having a tremendous impact on OT.
