Symantec Survey Finds Global Critical Infrastructure Providers Less Aware and Engaged in Government Programmes

KUALA LUMPUR, Malaysia – November 21, 2011 – Symantec Corp. (Nasdaq: SYMC) today released the findings of its 2011 Critical Infrastructure Protection (CIP) Survey, which found a drop in awareness and engagement on a global basis as measured by the CIP Participation Index. Compared to 2010, companies surveyed globally this year show a CIP Participation Index of 82 percent in government protection programmes, down 18 points from last year. Malaysia’s 2011 participation index is higher than the global index at 83 percent. Critical infrastructure providers come from industries that are of such importance that if their cyber networks were successfully attacked and disabled, it would result in an actual threat to national security.

“The Malaysian government should continue its good efforts in engaging the industry and ensuring the participation index remains high. Partnering with industry associations and private enterprise groups in sharing information and resources are important steps to ensure the country’s readiness in protecting its infrastructure,” said Ilias Chantzos, senior director of Government Affairs, Asia Pacific and Japan (APJ) and Europe, Middle East and Africa (EMEA). “Businesses and governments around the world should be very aggressive in their efforts to promote and coordinate protection of critical industry cyber networks. The latest attacks, such as Nitro and Duqu, are likely just the beginning of more targeted attacks directed at critical infrastructure.”Survey Highlights:
• Lower awareness and engagement in government CIP programmes. This year, companies are generally less aware of their government’s CIP programmes. Thirty-six percent of respondents were somewhat or completely aware of the government critical infrastructure plans being discussed in their country compared to 55 percent last year. Malaysia’s results were similar to the global results in 2011, with 36 percent indicating that they were somewhat or completely aware. In 2011, 37 percent of companies are completely or significantly engaged, versus 56 percent in 2010. Malaysia’s results were lower than global results in 2011 at 34 percent indicating that they were completely or significantly engaged. The survey also indicated that government CIP programs are relatively new to many companies in Malaysia, with only 17 percent responding that their company has been engaged with their country’s critical infrastructure plans for one to two years and 11 percent responding their engagement has lasted more than two years.

• Slightly more ambivalence about government CIP programmes. The survey also revealed that companies are more ambivalent in 2011 than they were in 2010 about government CIP programmes. For example, when asked to voice their opinion about government CIP programmes, 42 percent had no opinion or were neutral. Malaysia’s results were lower than the global results with 36 percent indicating that they had no opinion or were neutral. Also, companies are now slightly less willing to cooperate with CIP programmes than they were one year ago (57 versus 66 percent). Malaysia’s results were lower than the global results in 2011 at 54 percent.

• Global organisations feel less prepared. It is not surprising that as an organisation’s assessment of the threat drops, their readiness drops as well. Overall readiness on a global scale fell an average of eight points (from 60 to 63 percent in 2011 compared with 68 to 70 percent in 2010). Readiness of Malaysian companies in 2011 were lower than the global readiness with 52 to 61 percent .

Recommendations to ensure resiliency against critical infrastructure cyber attacks:
• Develop and enforce IT policies and automate compliance processes. By prioritising risks and defining policies that span across all locations, organisations can enforce policies through built-in automation and workflow and not only identify threats but remediate incidents as they occur or anticipate them before they happen.

• Protect information proactively by taking an information-centric approach to protect both information and interactions. Taking a content-aware approach to protecting information is key in knowing who owns the information, where sensitive information resides, who has access, and how it is coming in or leaving your organisation.

• Manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.

• Protect the infrastructure by securing endpoints, messaging and Web environments. In addition, defending critical internal servers and implementing the ability to back up and recover data should be priorities. Organisations also need the visibility and security intelligence to respond to threats rapidly.

• Ensure 24x7 availability. Organisations should implement testing methods that are non-disruptive and they can reduce complexity by automating failover. Virtual environments should be treated the same as a physical environment, showing the need for organisations to adopt more cross-platform and cross-environment tools, or standardise on fewer platforms.

• Develop an information management strategy that includes an information retention plan and policies. Organisations need to stop using backup for archiving and legal holds, implement deduplication everywhere to free resources, use a full-featured archive system and deploy data loss prevention technologies.

Recommendations for governments to promote critical infrastructure protection:

• Governments should continue to put forth the resources to establish government critical infrastructure programmes.

o The majority of critical infrastructure providers confirm that they are aware of government critical infrastructure programmes.
o Furthermore, a majority of critical infrastructure providers support efforts by the government to develop protection programmes.
• Governments should partner with industry associations and private enterprise groups to disseminate information to raise awareness of government CIP organisations and plans, with specifics about how a response would work in the face of a national cyber attack, what the roles of government would be, who the specific contacts are for various industries at a regional and national level, and how government and private business would share information in the event of an emergency.
• Governments should emphasise that security is not enough to stay resilient in the face of today’s cyber attacks. Governments should also emphasise to critical infrastructure providers and enterprises that their information be stored, backed up, organised, prioritised, and that proper identity and access control processes are in place.

Symantec’s Critical Infrastructure Protection Survey
Symantec’s Critical Infrastructure Protection Survey is the result of research conducted in August and September 2011 by Applied Research, which surveyed C-level, IT professionals in SMBs and enterprises in 14 industries specifically designated as critical infrastructure industries. The report was designed to examine awareness, engagement, and readiness with regards to government CIP programmes. The survey included 3,475 organisations from 37 countries in North America, EMEA (Europe, Middle East and Africa), Asia Pacific, and Latin America. 150 organizations in Malaysia participated in the survey.


Symantec 调查报告显示全球关键设施供应商对政府计划欠缺认知和参与度


吉隆坡2011年11月18日讯 – Symantec 公司 (纳斯达克: SYMC) 今日公布了其2011年关键设施保安 (CIP) 调查报告, 报告显示，按照CIP参与指数的评级，全球对于保安的醒觉度和参与度都有下降的趋势。与2010年相比，全球参与这项调查的公司在配合政府保安计划只有CIP参与指数82%，比去年下降了18个点数。大马的2011年参与指数比全球指数稍高，为83%。关键设施供应商是至关重要的行业，这是由于它们的网络如被成功击破并停止服务，这将对国家安全构成重大威胁。

“大马政府应继续极力拉拢网络业者，确保参与指数维持在高水平。与业界公会及私立公司团体配合以分享资讯及资源是非常重要的举措，这将确保国家已做好准备防护网络设施，” 亚太与日本以及欧洲、中东及非洲政府事务高级总监Ilias Chantzos表示。“全球的商家和各国政府应该积极地推广并协调关键行业的网络保安。最新一轮的攻击，如Nitro和Duqu，极有可能是一系列针对关键设施的攻击前奏。”



调查报告重点:
• 较低的政府CIP计划参与度。今年，许多公司一般上并不太知晓当地政府的CIP计划。相比于去年的55%，今年只有36%的受访公司相当或完全知晓政府的关键设施保安计划。大马的调查结果与2011年的全球调查结果是相似的，即36%的全球受访公司相当或完全知晓。在2011年，全球有37%的公司完全或极力地参与计划，而在2011年却有56%。大马在这方面则比全球调查结果较低，国内只有34%公司表示有完全或极力地参与计划。调查也显示出，政府的CIP计划对于大马许多公司来说是新鲜事，只有17% 公司曾花一至两年的时间参与国家的关键设施计划，11%公司表示它们参与该计划超过两年。

• 对于政府的CIP计划稍微模棱两可。 调查报告显示，相比于2010年，2011年全球公司对当地政府的CIP计划较为模棱两可。举例说，当被询及它们对政府CIP计划的看法时，42%并没有任何看法或保持中立。大马的调查结果是比全球的稍低，36%表示没有看法或保持中立。同时，全球公司在于与当地政府CIP计划配合的意愿也较低（今年为57%，去年则是66%）。大马的调查结果比2011年的全球结果更低，为54%。

• 全球团体组织感觉没有做好准备。很显然的，威胁程度降低的时候，公司团体对于保安准备也会因此而下降。全球的整体准备度平均下降了8个基点（2011年的60至63%，和2010年的68至70%）。大马公司于2011年的准备度则比全球结果较低，为52至61%。

确保牢固的防护、防范针对关键设施网络攻击的建议:
• 发展资讯科技政策并加强执法，及自动化符合规范程序。优先处理风险及辨识涵盖所有地点的政策，透过内置的自动化工作流程，公司组织才能加强执行政策，不但可辨识威胁，更可补救形成的破坏或能在未造成破坏前预测攻击。

• 积极地保护资讯档案，以资讯为主的方式防护资讯和互动。采用内容为主的防护措施是关键性的，这将让公司知道谁拥有资讯、敏感资讯居留何处、谁可进入索取资讯、资讯如何流入或离开您的公司。

• 有效地管理系统。在这方面可透过执行安全的操作环境、分发及加强数据包、自动化程序使之更有效率、以及监测和举报系统状态。

• 保护设施。透过加强端点、简讯和网上环境的保安。此外，应该优先防护关键内部伺服器及执行备份及复建档案的能力。公司也必须能够视察并获得保安情报，以迅速应对威胁。

• 确保全天候的可用度。公司应执行非干扰性的测试程序，并透过自动化减少复杂程度。虚拟环境应与实体环境一视同仁，公司需采纳更多的跨平台及跨环境工具，或标准化数个平台。

• 发展资讯管理策略，包括让资讯留步的计划及政策。公司必需停止使用备份为法律文件存档、到处对开放式资源进行反复制、使用完整功能的存档系统并放置防档案流失的科技。
对政府推广关键设施保安的建议:

• 政府应继续投入资源，建立政府关键设施保安计划。

o 大部分的关键设施供应商确认它们知晓政府的关键设施计划。
o 此外，大部分的关键设施供应商支持政府发展该保安计划的努力。
• 政府应该联同业者公会及私人机构，发出有关政府CIP计划的资讯以提高认知度，特别强调该计划如何在国家网络被攻击时作出应对、政府的角色是什么、谁是各个行业在区域及国家层面上的联络人、以及政府和商家在紧急情况下如何分享资讯。
• 政府应强调，单靠保安措施是不足以应对现今的网络攻击。政府也应向关键设施供应商强调，它们应把资讯库存、整理、优先处理化、以及执行正当的辨识和权限监管程序。

Symantec 关键设施保安调查报告
Symantec 关键设施保安调查报告是由Applied Research于2011年8月及9月所进行的一项市场调查。这项调查访问了涉及关键设施的14种行业内、中小型企业的C等级资讯科技专员。这项调查旨在检讨对政府CIP计划的认知度、参与度和准备度。这项调查对北美、欧洲、中东、非洲、亚太及南美37个国家的3,475家公司进行调查。大马有150家公司参与了这项调查。