Symantec’s 2011 Critical Infrastructure Protection (CIP) Survey found a drop in awareness and engagement as measured by the CIP Participation Index. Companies show a CIP Participation Index of 82 percent in 2011, down 18 points from 2010. Critical infrastructure providers come from industries that are of such importance that if their cyber networks were successfully attacked and disabled, it would result in an actual threat to national security.
2. Methodology
• Survey performed by Applied Research
• Surveyed CIP-specific industries
– All industries from last year
– Added 8 new industries this year (all on CIP list)
• 3,475 respondents
– 1,900 SMBs (5 – 499 employees)
– 1,575 enterprises (>1,000 US, >500 ROW)
• Spoke to person in charge of computers
2
3. Key Findings
• Lower awareness & engagement in government CIP programs
• Slightly more ambivalence about government CIP programs
• Organizations feel less prepared
4. Lower Awareness & Engagement in Government CIP
Programs
• Lower awareness of government CIP programs in their country (36% vs. 55%)
• Less engaged in government CIP programs (37% vs. 56%)
5. Slightly More Ambivalence About Government CIP
Programs
• More are ‘neutral’ or have ‘no opinion’ about government CIP programs
(42% vs. 26%)
• Slightly less willing to cooperate (57% vs. 66%)
6. Organizations Feel Less Prepared
• Slight decrease in their self-assessment of readiness (-8%)
• Self-assessment of safeguards shows decline in readiness (-5 to -10%)
7. Recommendations: Protecting Critical Infrastructure
• Develop and enforce IT policies, automate all compliance processes
• Adopt a proactive, information-centric approach to protecting information
and interactions
• Manage systems by implementing secure operating environments
• Protect the infrastructure by securing endpoints, messaging and Web
environments
• Ensure 24x7 availability
• Develop an information management strategy that includes an information
retention plan and policies
8. Recommendations for Government
• Continue to put forth the resources to establish government critical
infrastructure programs
• Partner with industry associations and private enterprise groups to
disseminate information to raise awareness of CIP organizations and plans
• Emphasize that security is not enough to stay resilient in the face of today’s
cyberattacks