Internal cyber threat vectors remain the most urgent yet understated sources of cyber risk for any organisation and industry. Yet, the sector has some way to go in ensuring that cyber risk management is truly “risk-driven”, integrated as a top-down organisation-wide shared responsibility. Ninety percent of E/P survey respondents indicated that cyber risk responsibility sits mainly within IT, and only 48 percent indicated that the responsibility sits mainly with their risk management team.
With regards to process, the sector has taken a more proactive approach on cyber risk compared to other industries, though these actions are still largely centered on basic preparation and prevention. Out of the E/P organisations surveyed:
- 91 percent of have made improvements in hardware security
- 84 percent in data protection capabilities
- 77 percent implemented awareness training
- 71 percent strengthened their cybersecurity policies and procedures
From a technology standpoint, the evaluation of cyber risks should be an end-to-end process with the understanding that cyber risk is a systemic business risk. Currently, a majority of the organisations assess their cyber risks during the initial phase of the project. Almost two-thirds of companies across all industries do so during the testing phase, and almost half of the E/P respondents (47 percent) note that their organisations also do so during the onboarding/implementation stage.
External cyber threat vectors stem from the growing supply chain, including trusted partners, and the evolving regulatory landscape that is seeking more accountability.
Supply chain risk is growing exponentially. As infrastructure rapidly modernizes, and pressure mounts to move operations to the cloud, players become more reliant on and integrated into third-party operations. More and more systems are increasingly interconnected, with interdependencies across the supply chain, and this interconnectivity will only continue to increase.
This raises the stakes for all organisations in the supply chain to maintain cyber resilience, as they now operate in ecosystems that are exposed to weaknesses in other companies, which may not have the same focus on cyber risk management.
According to 38 percent of E/P sector respondents, partners in the interconnected supply chains of the E/P sector faced a bigger threat from cyber risks than perceived by their own organisations.
From a policy and legislative perspective there has been a significant increase in the regulation of data privacy and cybersecurity globally and across all industries, with a primary focus on data protection and supply chain security.
Regulation and cyber threats were highlighted as the topmost concerns in the E/P sector. In terms of what type of standards works (or not) for the E/P sector, there are mixed perceptions on the effectiveness of “hard” government regulations and laws in helping organisations improve their cybersecurity posture across all industries.