Critical infrastructure cyberattacks signaling the importance of prioritizing security

Armis released new data uncovering the lack of knowledge and general awareness of major cyberattacks on critical infrastructure and an understanding of security hygiene.

The survey of over 2,000 respondents from across the United States found that end users are not paying attention to the major attacks plaguing operational technology and critical infrastructure across the country, signaling the importance of businesses prioritizing a focus on security as employees return to the office.

In the past year, 65,000 ransomware attacks occurred in the United States. In other words, approximately 7 attacks per hour, a rate that is expected to continue to rise. As the U.S. looks at its vulnerable industries, the responsibility is falling on businesses to ensure that they are keeping the organization and employees safe and secure.

Critical infrastructure cyberattacks continue to rise

From the Colonial Pipeline attack shutting down services, to the Florida Water Facility hack endangering the water supply, to the ransomware attack on JBS, which could raise meat prices and also restrict access to necessary nutrients in developing countries — the impact of cyberattacks on our critical infrastructure has been evident.

We’ve also seen ransomware hit healthcare in a major way, with attacks on Scripps Health’s technology systems and a chain of Las Vegas hospitals. Despite the spotlight on these attacks, the data shows that many consumers are simply not taking notice — and the responsibility of security falls on the businesses themselves.

As the risk of attack continues to rise, and businesses move toward a hybrid in-office/work from home model, it is imperative that businesses are considering security and ensuring the proper policies and protections are in place. Thinking critically about security early on, and weaving it into your company’s everyday practices, can be the difference-maker as employees return to the office.

“The attacks on our critical infrastructure are clear evidence of the need for cybersecurity and assurance to all our utility providers and players,” said Curtis Simpson, CISO at Armis.

“It is also an unfortunate example of the huge vulnerability of an aging infrastructure that has been connected, directly or indirectly, to the internet. Organizations must be able to know what they have, track behavior, identify threats, and immediately take action to protect the safety and security of their operations. This data shows that there is less consumer attention on these attacks as we might expect, and so that responsibility falls to businesses to shore up their defenses.”

Education and awareness of cyberattacks is still lacking

Despite these major attacks making headlines on the national stage, respondents showed a lack of awareness of these attacks and their impact on consumers and businesses.

Over 21% of respondents have not even heard about the cyberattack on the largest U.S. fuel pipeline, and 45% of working Americans did not hear about the attempted tampering of Florida’s water supply.

The severity of the cyberattacks on critical infrastructure is not sticking

Despite the complete shutdown of the Colonial Pipeline following the attack, and the halting of production at JBS, consumers don’t see the lasting effects of these attacks. 24% of respondents believe that the Colonial Pipeline attack will not have any long-lasting effects on the U.S. fuel industry.

Healthcare could be the next frontier for hackers

According to a commissioned study conducted by Forrester Consulting on behalf of Armis, 63% of healthcare delivery organizations have experienced a security incident related to unmanaged and IoT devices over the past two years.

Yet today’s data shows that when it comes to device security, over 60% of healthcare employees believe that their personal devices do not pose any security threat to their organization. What’s more, 26% said that their companies do not have any policies in place to secure both work and personal devices.

Employees are putting businesses at risk through devices

As COVID-19 restrictions begin to lighten, enterprises are starting to talk about the return to the office, but as we go back, businesses need to be thinking about overall enterprise security, especially as employees have expressed their intention to continue some potentially risky habits.

The data shows that over 71% of employees intend to bring their WFH devices back to the office, with over 82% of that group being IT professionals, whose main job function is to ensure the security of the organization. Despite the risks prevalent, 54% don’t believe their personal devices pose any security risk/threat to their organization.