Almost 90 per cent of power and utility executives say their cybersecurity strategy does not fully meet their company’s needs, a new report has found.

EY’s Global Information Security Survey 2016-17, released this week, showed that cybersecurity in the power sector is “not keeping up with technology” as companies struggle to manage increased risk from growth in digital and connected devices. Inadequate security operating models are also exacerbated by budget pressures, the report found.

And executives are aware of this. The number of surveyed executives who deem their cybersecurity strategy inadequate (89 per cent) is up on last year’s number (86 per cent), EY said, with 87 per cent reporting that they lack confidence in their organization’s cybersecurity measures.

A majority (66 per cent) of power and utility executives said their cybersecurity budgets will increase over the next 12 months. However, while 39 per cent of respondents said they would need at least a 25 per cent budget increase to achieve their desired level of risk tolerance, only 13 per cent expected to receive this increase in funding. In addition, 86 per cent said they would need up to 50 per cent more funding in order to adequately counter threats.

“Power and utility companies are grappling with significant disruption in the sector and the security implications of digital transformation often gets lost,” explained Matt Chambers, Risk and Cybersecurity Leader at EY Global Power & Utilities. “As a result, too many organizations only consider investing in cybersecurity after there is a large breach or if it’s mandated rather than committing budget up front.”

Of the surveyed executives, 57 per cent reported having had a recent cybersecurity incident. However, only 5 per cent had recently made a change to their organization’s strategy, with the majority of firms missing what EY identified as major aspects of a cybersecurity programme. Only 24 per cent of firms have an incident response plan in place to help them recover from malware and employee carelessness or misbehaviour – identified as the highest risk by 55 per cent of respondents.

Indeed, the report drew a distinction between ‘cyber resilience’ (establishing tools and strategies to protect against expected threats) and ‘cyber agility’ (the ability to react to change in a threat landscape). EY recommended a switch from a ‘fail-safe’ model in which defenses are expected to prevent an attack, to a ‘safe-to-fail’ model which can limit the damage. 

“Cybersecurity efforts often prioritize preventative controls – and it is important hygiene to protect the technology from standard threats – but that will be insufficient against a determined attacker,” Chambers said, warning that companies “must invest in strengthening detect and response capabilities. Attacks to disrupt safe and reliable service are already occurring.”

The full report is available here