Spurred in part by geopolitical, regulatory and hacktivist concerns, companies are spending more on cybersecurity this year than in the past, according to a new DNV report.

Cybersecurity has moved from being largely a technology risk to a business risk, particularly in the energy sector, prompting companies to increase investments. Even so, there is a disconnect between the perception of investment level—and sense that money is being spent on the right things—depending on the role of the respondent surveyed for DNV’s “Energy Cyber Priority 2023: Closing the Gap between Awareness and Action.” 

Jalal Bouhdada, DNV’s global segment director for cyber security, told Hart Energy prior to the report’s release that the level of innovation in the energy sector has brought many opportunities, but also created cyber risk.

“The industry can definitely battle those bad guys and ensure that our infrastructure and critical infrastructure will remain safe and reliable for the future,” he said.

DNV CyberTopBizRisk
Respondents were asked, “To what extent do you agree or disagree with the following?” Percentages reflect net agreement, (i.e., moderately or strongly agree). (Source: DNV)

The recipe for cyber-resilience calls for understanding risk, communications and collaboration, he said.

Withstanding an attack starts with getting the basics right, he said.

“You cannot protect what you don’t know. That’s the first thing. Understand your risk profile. Understand your weaknesses, and prioritize what matters most,” he said.

With clear visibility about assets and their associated risks, he said, companies can set up cybersecurity programs that mitigate those risks. And training for breaches can help companies respond quickly should an attack be successful, he added.

“It's really about how you respond to this type of incident. You have the capacity, you have the support, you have also the speed and the training and the readiness to be able to restore your operation and keep your business up and running,” Bouhdada said.

Companies have shifted their view of cyber threats, he added. Cyberattacks can harm people, assets and the environment, causing financial repercussions.

“There is a sense of urgency from companies as this topic becomes a business risk and not necessarily just a technology risk,” he said. “The boards and senior management are becoming more nervous about this, and they are seeing that, ‘Hey if we don't do anything, then we can be the next victim.’”

Survey says

In the report, 77% of respondents agreed that their organization treated cybersecurity as a business risk.

For DNV’s second annual Energy Cyber Priority report, respondents reported higher geopolitical and hacktivist concerns this year than they had before Russia invaded Ukraine in February 2022. Before the invasion, 65% surveyed were concerned about attacks from hacktivists and 57% were wary of malicious foreign powers and state-sponsored actors.

DNV C-suite versus Operational
Percentage of agreement or disagreement with the statements varied by whether the respondent was in the C-suite or in operations. (Source: DNV)

Following the invasion, hacktivism concerns rose to 71% and state-sponsored fears were up to 63%. Those concerns subsided slightly in 2023, with 69% reporting being concerned about hacktivists and 62% about foreign attacks.

But C-suite and operations level respondents had a slight disconnect in how they viewed their organizations cybersecurity response: 74% of C-suite and 67% of operations employees reported that their company’s focus on cybersecurity had increased due to growing geopolitical tensions in the past year. In the C-suite, 87% thought geopolitical uncertainty had made their organization’s more aware about potential cybersecurity vulnerabilities for their OT systems, compared to 71% at the operations level.

DNV said that 59% of energy professionals surveyed said their organization is investing more in cybersecurity in 2023 compared with last year. 

“We are seeing really that there is a transition from knowledge, or being aware of the issue, to moving into action,” Bouhdada said.

At the same time, there is concern that the money is not being spent efficiently, he said.

He said some respondents did not believe the investment was enough, while a portion did not think resources were being wisely allocated. This indicates there may be “a lack of efficiency in how those budgets and resources are used,” he said.

According to the report, 49% of respondents thought their companies would devote more funding to cybersecurity to meet changing regulatory requirements. Another 38% thought an incident or near-miss within the organization would prompt funding, while 34% thought an incident or near-miss that affected another organization in the sector would fuel further funding.

Respondents were nearly even on whether leadership or customer pressure would lead to great funding, with 29% seeing internal impetus leading to more spending and roughly a quarter saying customer interests would.

Less than a quarter — 24% — told the survey that a clearer assessment of weaknesses and vulnerabilities would lead to additional funding. Such assessments are commonly considered one of the most important steps in cyber defense.

DNV CyberInvestmentFactors
Respondents selected the top three factors that were most likely to lead to greater cyber funding in their organizations. (Source: DNV)

The where matters

The report also indicated that the location of an organization influenced the approach toward cybersecurity. At 64%, Asia-Pacific companies were more likely to respond that cybersecurity was considered at every stage of the lifecycle of the organization's assets and infrastructure. That compares with European companies at 52%, the Americas, 48%, or those in the Middle East and Africa at 45%.

“The risk profile and appreciation for, and also the culture for cybersecurity is not the same in different regions,” Bouhdada said, noting some regions are compliance and regulations driven while others are based more on risk.

No matter what drives an organization’s approach to cybersecurity, Bouhdada said security should be addressed holistically and for the long term.

“Cybersecurity is really a continuous effort,” he said. “There is always the need for more investments and funding, because this ecosystem is becoming more complex and the sophistication of attack is increasing.”