Keeping sensitive content locked within

As cyber threat actors increasingly target utilities, the question abounds of what can be done to protect critical infrastructure against destructive cyber-attacks. Tim Freestone of Kiteworks shares his ideas.

The growing reliance on digital technology and the related interconnectedness of the systems used within has unfortunately made the energy and utilities sector an increasingly attractive target for cybercriminals.

These rising cyber threats are putting energy and utilities companies at risk, not just in terms of financial and reputational damage but also in terms of the security and safety of critical infrastructure and services. At the same time, confidential information exchanged via file sharing and transfer and email is posing a significant target for cyberattacks.

It is such an issue that just last month, the US government's Cybersecurity and Infrastructure Security Agency (CISA), the NSA, the FBI, and eight other US and international partners issued a warning urging critical infrastructure owners and operators to protect their facilities against destructive cyber-attacks that may be brewing from the Far East. So, what can be done?

Too many disaggregated tools are being used for sensitive content communications

Our 2023 Sensitive Content Communications Privacy and Compliance report last year found that energy and utilities companies are struggling to manage file and email data communication risks – both inside their organisations and with third parties.

Like other industry sectors, the majority of energy and utilities companies today rely on a disparate silo of different communication tools for sending, sharing, and transferring sensitive content.

Have you read?
Future priorities for AI in an evolving digital energy cyber security regulatory framework
Energy cybersecurity in 2024: Building accountability and responsibility

In fact, the vast majority (96%) use five or more sensitive content communication systems. It is something that has grown over time and not only increases the attack surface but increases CapEx and OpEx for energy and utilities companies, with 72% saying they spend more than $250,000 on them annually.

How energy and utilities companies rank for third-party content communications risk

Two in five (40%) energy and utilities companies say they send and share sensitive content to 2,500-plus third parties on a regular basis. Over nine in ten (92%) do so with 1,000-plus third parties. This is a huge amount and creates significant privacy and compliance risks for them. The disaggregation of file and email communication tools that we explored earlier makes it really difficult to create governance tracking and controls that will minimise the risk too.

The communication channel that has the highest risk is file sharing. One in three energy and utilities companies rank file sharing as the riskiest channel for third-party content communications. Twice as many (68%) rank it either number one, two or three. This was followed by email, which was ranked one, two or three by over half (56%) of respondents.

Alarmingly, the energy industry ranked among the lowest of all in terms of having a comprehensive system in place to track and control access to sensitive content folders for all content types and departments.

Only 20% of energy and utility companies said that they have such a system currently in place. It is perhaps not surprising that almost seven in ten (68%) industry professionals believe they need to improve their approach to mitigating these risks. Their assessment is illustrative of the fact that four out of five energy and utilities companies experienced four or more instances of sensitive content communication exploits in the past year.

This has to stop.

The need to improve digital risk management

There is cause for serious concern when it comes to protecting sensitive content communications in the energy and utility industry from privacy and compliance exposure.

Only a quarter (24%) of companies admit that they track and record third-party access to sensitive files and folders across all departments. Another 12% track only for certain departments, while 44% track only for certain content types. Lack of robust digital rights management poses a problem. More respondents in energy and utilities say their risk management of third-party content communications needs a completely new approach – the highest of any industry sector – and another 24% say that significant improvement is needed. There is certainly room for improvement.

How a private content network would help

A Private Content Network could be the answer.

A Private Content Network would provide energy and utilities companies a secure environment for exchanging sensitive content between users, organisations, and systems.

This would enable them to demonstrate compliance with increasingly stringent data privacy regulations and cybersecurity standards. Zero-trust policy management provides risk and compliance professionals with unified visibility and the ability to set policies that adhere with regulations such as GDPR, HIPAA, Cyber Essentials and many others.

Advanced security capabilities seamlessly integrate third-party security investments in ATP, CDR, and DLP. These capabilities protect sensitive data, such as employee and customer PII, financial documents, merger and acquisition information, and legal documents, that energy and utilities companies send and share internally and with third parties.

Just make sure that whatever you choose supports certifications such as SOC 2, ISO 27001, 27017, 27018, and FedRAMP Authorised for optimum peace of mind.

About the author:

Tim Freestone is the chief strategy and marketing officer of software company Kiteworks, with over 15 years of experience in marketing.

Freestone joined the company in 2021 after working as vice president of marketing at Contrast Security, a scale-up application security company. Prior to Contrast, he was vice president of Corporate Marketing at Fortinet, a multi-billion-dollar firewall and cloud security company.