Protecting Operational Technology is Key, But Only 18 percent of Energy Companies Said They Could Identify High-Value Security Assets and Business Processes for Better Protection
HOUSTON; Apr. 6, 2017 – Lacking enterprise-wide cyber analytics technology to monitor for cyberattacks, most oil and gas companies are not fully aware of when or even how cyberattacks might affect them, according to new research from Accenture (NYSE: ACN).
A majority (74 percent) of the 186 oil and gas company leaders surveyed in Accenture’s High Performance Security 2016 Report said their organization is confident that cybersecurity measures will yield valuable results. Indeed, more than three-quarters believe their top strategies are now able to protect their companies’ reputations, information and prevent service disruption.
However, this is at odds with 60 percent of energy leaders who said cybersecurity is a bit of a black box, as they don’t quite understand the timing or impact of cyberattacks. When asked about basic requirements to keep their company secure, energy leaders were less confident than their counterparts in other industries in their ability to measure the impact of breaches (40 percent compared to 47 percent for the cross-industry average) and to know their frequency (28 percent compared to 41 percent).
Oil and gas company leaders reported an average of 96 cyberattacks over 12 months, with one in three succeeding in a breach that was discovered only 62 percent of the time by firms’ security teams. Even then, detection took months for 51 percent of companies and weeks for 25 percent. The rest of the time, other employees and law enforcement officials most often discovered the breaches.
Oil and gas companies don’t have far to look to identify the sources of most cyberattacks. Company leaders said breaches are mostly from malicious company insiders (43 percent) or staff who accidentally published information (23 percent). Hackers accounted for 21 percent of attacks.
“Security does not end at the edge of the corporate network. It includes both operational technology and back office systems across the oil and gas value chain,” said Jim Guinn, managing director who leads Accenture’s security practice for resources industries. “Protecting core operations requires better investments in cyber defense including network analytics, cyber incident management programs that include both OT and IT networks, and ongoing testing to help identify any gaps. With a more comprehensive cybersecurity strategy that includes assets across the entire organization, oil and gas companies can be better prepared when a cyber event occurs.”
Executives identified the top effective tools for responding to cyberattacks as internal cross-functional teams (41 percent), standard operating procedures (37 percent), established technologies (36 percent) and communications plans (34 percent).
Not surprisingly, with the rise of the Industrial Internet of Things (IIoT) and the convergence of operational technology and information technology, respondents cited the need to fill cybersecurity gaps in end point / network security as their most pressing concern (55 percent). They expressed low confidence (18 percent) in identifying high-value security assets and business processes needed for better protection, and only 24 percent were confident of their capabilities in cyberattack scenarios.
Accenture Security Index Results
The results of this survey were analyzed in collaboration with Oxford Economics to develop the Accenture Security Index comparing the relative strength of organizations to protect themselves from cyberattacks. To gauge the effectiveness of current enterprise security efforts and the adequacy of their existing investments, Accenture surveyed 2,000 top enterprise security practitioners representing companies with annual revenues of $1 billion or more. According to the recently released Accenture Security Index, oil and gas organizations ranked second to last among cross-industry evaluation of high-performance cybersecurity capabilities with an overall ranking of 27 percent, meaning these organizations exhibited high performance in only nine capabilities on average. Additionally, oil and gas organizations ranked last in all industries in the threat vector monitoring capability (22 percent).
For more information on steps oil and gas companies can take to effectively deal with cyber threats, visit: www.accenture.com/energycybersecurityreport.
Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions – underpinned by the world’s largest delivery network – Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 401,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com.
About Accenture Security
Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture protects organizations’ valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
+ 1 281 900 9089
+ 44 755 784 9009