Corporate cybersecurity does not suffer from a lack of general awareness, a PricewaterhouseCoopers LLP (PwC) survey of CEOs confirmed. It’s how that awareness has veered into overconfidence that concerns the Big Four auditor and professional services giant.

“It’s broader than just information technology,” said Jim Guinn, PwC’s senior managing director of IT security, privacy & risk, who led the firm’s webinar last week on cybersecurity’s threat to the energy industry. “It isn’t really about email being down. It’s really about the enterprise.”

PwC’s survey of 9,600 executives in 115 countries across industries showed that:

  • 81% of CEOs believe that technological advances will transform their business;
  • 70% are concerned that their organizations may be unable to protect their intellectual property or confidential customer data;
  • 49% are somewhat or extremely concerned about cyber attacks; and
  • 40% have invested in cybersecurity, increased that budget investment in fiscal year (FY) 2013 and expected to increase their spending again in FY 2014.

The energy industry, provider of a resource of enormous economic and national security, could better defend itself, PwC believes.

“What do we need to do in support of the energy sector or the midstream sector in particular?” asked Matthew Linde, Houston-based director of the firm’s energy advisory practice.

Puncturing the veil of invincibility might be a good start. PwC’s September 2013 report, “Defending yesterday,” evaluated the preparedness of international oil and gas companies to protect assets against cyber attack. The report revealed a global glut of overconfidence: 79% of respondents had confidence in their companies’ security activities; 68% had confidence in their partners’/suppliers’ security activities; and 47% considered themselves to be front-runners in the industry, agreeing with the statement that “We have an effective strategy in place and are proactive in executing the plan.”

Perhaps more realistically, 10% considered themselves to be “tacticians” in a reactive mode and 17% placed themselves in the category of cybersecurity “firefighters.”

PwC detailed its own criteria in the report for leadership in the area:

  • Have an overall information security strategy;
  • Employ a chief information security officer who reports to the CEO, CFO, COO, chief revenue officer or legal counsel;
  • Have measured and reviewed the effectiveness of security within the past year; and
  • Understand exactly what type of security events have occurred in the past year.

Against those standards, PwC politely opined that “our analysis shows there are significantly fewer real leaders than self-identified front-runners.”

A false sense of cybersecurity is cause for concern. While oil and gas corporate information security budgets grew an average of 32% in 2013 from 2012, to $5 million, that’s still below 2009’s $5.2 million and well off the peak of $5.9 million in 2011, according to PwC’s survey.

But hackers on oil and gas corporate systems are relentless. PwC reported that respondents experienced 179% more security incidents over a 12-month period from February 2012 to February 2013 than the previous 12 months (in hard numbers, 6,511 incidents) and a staggering 470% increase in financial losses, in part because of the time and complexity of responding to incidents. Broken down, 37% reported that employee records were compromised, 36% suffered a loss or damage to internal records, 24% saw their customer records compromised or unavailable and identity theft afflicted 21% of companies responding.