'Alarming gaps' as 78% of Malaysian critical infrastructure providers breached, Unisys says


John Kendall - Unisys modified 

Photo - John Kendall, Security Program Director, Unisys Asia Pacific.


According to new global research, IT security services firm Unisys said 78 percent of Malaysian critical infrastructure providers have experienced at least one breach in the last year.

Unisys commissioned The Ponemon Institute to conduct the 'Critical Infrastructure: Security Preparedness and Maturity' study, which showed  "alarming gaps in Malaysia's utility, oil and gas, energy and manufacturing organisations" that led to breaches, caused mainly by accidents or mistakes, said Unisys Asia Pacific security program director John Kendall.

Kendall said that nearly 70 percent of executives surveyed at companies responsible for power, water and other critical functions globally (and 78 percent in Malaysia) have reported at least one security breach that led to the loss of confidential information or disruption of operations in the past 12 months.

The study indicated widespread security critical infrastructure concerns as it also showed that that 86 per cent of critical infrastructure providers in Australia and New Zealand have been breached in the past year.

He added that only 4 percent of Malaysian respondents describe their organisation's IT security programme or activities 'as mature', compared to the global average of 17 percent.

Those Malaysian organisations that suffered a data breach in the past year most often pointed to an internal accident or mistake (48 percent), he said. Despite this, only 4 percent of Malaysian respondents said they provide cybersecurity training for all employees.

Kendall said the study showed that Malaysian organisations "were also more likely than those in other countries to cite external attacks as a cause of recent breaches, with 43 percent of respondents blaming external attacks for breaches, compared to the global average of 28 percent."

 More breaches anticipated 

In addition, he said more than half (55 percent) of Malaysian respondents expected "one or more serious attacks in the coming year.  Despite this risk, only 30 percent ranked security as one of the top five strategic priorities for their organisations.  Even so, a majority, 63 percent, named their top business priority as minimising downtime."

"It is surprising that so many utilities organisations have not made security a strategic business priority, given the Malaysian economy's dependence on such critical infrastructure," said Kendall.  "The increased dependence of critical infrastructure on IT systems, and the interconnectedness of those systems, means that these organisations are increasingly vulnerable to cyber security failures that may result in data breaches or downtime.  What's more, failure in one area of infrastructure can create outages in others - in a domino effect." 

"Malaysian respondents cited both accidental breaches and deliberate attacks as the cause of recent breaches and future risks," he said. "Therefore they need to take a holistic approach to data security that goes beyond traditional perimeter security and addresses potential accidental and deliberate threats within the organisation.  In effect, the internal environment must be treated as 'hostile territory', in the same way that we must guard against external attacks.  We hope the survey results serve as a wake-up call to critical infrastructure providers to take a much more proactive approach to securing their IT systems."

Other Malaysia findings include:

-  More than half (57 percent) of the 27 Malaysian critical infrastructure providers surveyed said they had experienced security incidents due to the use of 'insecure networks', and one in three (33 percent) were caused by 'employee use of social networks and unmanaged access to cloud services.'

- Malaysian respondents cited negligent insiders (48 percent), malicious insiders (44 percent) and system glitches (44 percent) as their top security threats.  They also rated the technologies most effective to foster security objectives to be automated code review and debuggers, data loss prevention systems and mobile device management.

Kendall said the survey also pointed to concerns around the security of industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems, which monitor and control the processes and operations for power generation and other critical infrastructure functions.

When asked about the likelihood of an attack on their organisations' ICS or SCADA systems, "67 percent of the Malaysian senior security officials responded that a successful attack is at least somewhat likely within the next 24 months. Just 19 percent of Malaysian respondents thought that the risk level to ICS and SCADA has substantially decreased because of regulations and industry-based security standards, which means that tighter controls and better adoption of standards are needed."

The Critical Infrastructure: Security Preparedness and Maturity web survey was conducted between April-May 2014 by the Ponemon Institute across 13 countries: Australia, Brazil, Canada, Columbia, France, Germany, Malaysia, Mexico, Netherlands, New Zealand, Spain, United Kingdom and United States.  Responses came from 599 business and IT decision-makers (27 from Malaysia) in utility, oil and gas, alternate energy and manufacturing organisations.