Cyber-security is a win-win

Energy companies are failing to leverage cyber-security for competitive gain, according to a new EY survey.

Our recent EY report Cybersecurity for Competitive Advantages surveyed nearly 200 companies. It shows that energy companies still have work to do to establish stronger links between security and greater competitiveness. Failure to do so could see them be eclipsed by more cyber-aware and tech-savvy new market entrants.

Forty per cent of energy sector respondents currently invest 6-10 per cent of their overall IT budgets in cyber-security. This is in line with global baselines, with arguably 10 per cent being much higher than most. Given that these budgets may not include spend on transformation projects such as smart metering, Internet of Things (IoT) and operational technologies, this is considered a strong spend for UK companies.

Meanwhile, 44 per cent of those surveyed still plan to increase budgets by between 15 per cent and 25 per cent during 2019. This trend may well be driven by the rise of cyber-security threats and attacks.

Most energy companies are concerned about the new risks that technologies can bring. Currently, 56 per cent fear they are behind industry peers on the adoption of new technology and 80 per cent say cyber-security concerns are slowing their growth plans. By focusing on the opportunities these offer, this can help towards a significant step-change. For example, technology, media and telecoms companies across our survey have focused investments on the adoption of automation, cloud and IoT to help tackle attacks and accelerate threat detection.

Some 76 per cent of energy companies cite human factors as their biggest cyber-security risk and 52 per cent fear their employees do not understand their role in keeping the business secure. Greater focus on training and policies will help towards building a culture of cyber-security awareness and responsibility.

Sector lacks board confidence

Part of the problem is that many energy companies do not have board buy-in. Over half (54 per cent) state lack of business sponsorship as a major barrier. This could be attributed to security teams reporting on cyber risks in technical terms, instead of business terms that the board can understand. Currently, 60 per cent of energy companies fear their board would not be able to quantify their company’s cyber-security risk exposure. This is in contrast to technology, media and telecoms companies, where 96 per cent feel confident their boards can quantify cyber risks. The board should be guided by security teams, having tactical messages translated into how this impacts the broader company strategy and growth. With more tangible and holistic reporting, this will enable the board to be engaged to make informed decisions.

Overall, 72 per cent of energy companies believe having a strong cyber-security brand can help secure competitive advantage, although only 48 per cent have sought to measure the potential value of improving their cyber-security.

Today’s innovations in energy storage, smart metering and digitalisation have enabled more and more players to enter the energy market and provide new business models.

Increasingly, tech giants such as Amazon and Google have also set their sights on the retail power market. As a result, those that are not able to seize the opportunities of operational efficiencies, cost reduction and stakeholder trust that cyber-security can bring, risk being left behind.