Corporate cybersecurity does not suffer from a lack of general awareness, a PricewaterhouseCoopers LLP (PwC) survey of CEOs confirmed. It’s how that awareness has veered into overconfidence that concerns the Big Four auditor and professional services giant.

“It’s broader than just information technology,” said Jim Guinn, PwC’s senior managing director of IT security, privacy & risk, who led the firm’s webinar last week on cybersecurity’s threat to the energy industry. “It isn’t really about email being down. It’s really about the enterprise.”

PwC’s survey of 9,600 executives in 115 countries across industries showed that:

  • 81% of CEOs believe that technological advances will transform their business;
  • 70% are concerned that their organizations may be unable to protect their intellectual property or confidential customer data;
  • 49% are somewhat or extremely concerned about cyber attacks; and
  • 40% have invested in cybersecurity, increased that budget investment in FY 2013 and expected to increase their spending again in FY 2014.

The energy industry, provider of a resource of enormous economic and national security, could better defend itself, PwC believes.

“What do we need to do in support of the energy sector or the midstream sector in particular?” asked Matthew Linde, Houston-based director of the firm’s energy advisory practice.

Puncturing the veil of invincibility might be a good start. PwC’s September 2013 report, “Defending yesterday,” evaluated the preparedness of international oil and gas companies to protect assets against cyber attack. The report revealed a global glut of overconfidence: 79% of respondents had confidence in their companies’ security activities; 68% had confidence in their partners’/suppliers’ security activities; and 47% considered themselves to be front-runners in the industry, agreeing with the statement that “We have an effective strategy in place and are proactive in executing the plan.”

Perhaps more realistically, 10% considered themselves to be “tacticians” in a reactive mode and 17% placed themselves in the category of cybersecurity “firefighters.”

PwC detailed its own criteria in the report for leadership in the area:

  • Have an overall information security strategy;
  • Employ a chief information security officer (CISO) who reports to the CEO, CFO, COO, chief revenue officer or legal counsel;
  • Have measured and reviewed the effectiveness of security within the past year; and
  • Understand exactly what type of security events have occurred in the past year.

Against those standards, PwC politely opined that “our analysis shows there are significantly fewer real leaders than self-identified front-runners.”

Time to worry

A false sense of cybersecurity is cause for concern. While oil and gas corporate information security budgets grew an average of 32% in 2013 from 2012, to $5 million, that’s still below 2009’s $5.2 million and well off the peak of $5.9 million in 2011, according to PwC’s survey.

But hackers on oil and gas corporate systems are relentless. PwC reported that respondents experienced 179% more security incidents over a 12-month period from February 2012 to February 2013 than the previous 12 months (in hard numbers, 6,511 incidents) and a staggering 470% increase in financial losses, in part because of the time and complexity of responding to incidents. Broken down, 37% reported that employee records were compromised, 36% suffered a loss or damage to internal records, 24% saw their customer records compromised or unavailable, and identity theft afflicted 21% of companies responding.

PwC’s strategy for bringing attention to the problem to top executives is to focus on the bottom line.

“If you discuss these issues in the construct of loss of financial information,” said Guinn, “then CFO is your best bet.”

And there seems to be more to talk about all the time. While strikes by nation-states make headlines—like the Stuxnet virus reportedly unleashed by U.S. intelligence against Iran’s nuclear program, or the Iranian Shamoon virus blamed for infecting business systems at Saudi Aramco—it is insider activity that keeps oil and gas executives up at night.

In its “Defending yesterday” report, PwC’s survey found that former employees were estimated to be the source of 27% of incidents and 26% attributed to current employees. Current service providers, consultants and contractors were tagged with blame for 16% of incidents; former members of that category for the same percentage.

Which may explain why that firewall (85% of companies employ this as a security safeguard) may be little more than a homage to another era’s threats. “Deployment of ‘block and tackle’ security programs is at an all-time high,” the report states. “But they may not comprehensively block today’s incidents, suggesting that these products and services are ineffective because they are built on outdated security models.”

That’s because the “global business ecosystem,” as PwC dubs it, has grown exponentially. It includes connectivity and collaboration to all facets of business, technology-led innovation and connections among departments that now encompass the entire organization.

How does your company rate?

The cybersecurity framework, designed to meet the federal government’s National Institute of Standards and Technology guidelines, is built around four basic tiers:

  • Partial: Informal cybersecurity organization that often is forced to become reactive;
  • Risk Informed: awareness by management of issues, but not an organization-wide strategy in place;
  • Repeatable: formally approved practices and organization-wide approach; and
  • Adaptive: organization-wide approach based on risk-informed policies and lessons learned.

Almost half of webinar attendees surveyed did not know how their organizations stacked up against the guidelines. Around 40% placed their organizations in the partial or risk-informed areas, which indicates an acknowledgment of vulnerability, but 11% believed their organizations had achieved systems that were repeatable or adaptive, the highest tiers.

Guinn was doubtful.

“I would caution folks who say adaptive,” he warned. That tier requires meeting a standard across all aspects of an organization and few are in a position at this point to claim that.