Energy companies are increasingly seeking multi-million pound insurance policies to help them recover in the event of a cyber-attack, but the majority of applicants are being turned away because of their weak cyber-defences.
According to the BBC, surveyor assessments of cyber-defences in place within the energy industry were deemed in adequate.
While previously attacking national energy or resource infrastructure would have involved compromising dedicated communication networks, the modernisation of these networks has made them part of the internet and so more vulnerable than ever.
"Insurance is only a plaster over these underlying weaknesses," said Chris McIntosh, CEO of security and communications company ViaSat UK.
He said that encryption of data in transit and rigorous authentication protocols need to become standard practice.
"Unless energy companies demonstrate they are taking the necessary precautions, insurers will keep them at arm’s length; public trust will fall; and the resilience of the country’s critical national infrastructure will inevitably suffer as a result," said McIntosh.
According to a recent Zpryme Research study, half of infrastructure providers in the US believed electrical networks were insecure.
Additional research by security company Websense revealed that over 70% of security professionals don’t trust their current security program.
"So many companies are still using security technology that is not fit for purpose in today’s threat landscape," Andy Philpott, SVP Sales, Websense.
"This is a wake-up call for utility firms seeking out insurance against cyber attacks and increasingly being refused. There needs to be a mental shift refocusing from insuring against the aftermath of an attack to preventing it entering the network in the first place."
This message was echoed by Einar Lindquist, CEO of Cryptzone, who said that these risks are universal in all organisations, not just for energy giants.
"Businesses may increasingly discover themselves to be uninsurable in the coming months unless they can prove robust IT security measures are in place," he said.
"It is impossible for IT to be aware of all the confidential and sensitive information stored in the corporate IT environment. It is of course sensible to document and communicate a framework of what constitutes sensitive information, but it may not always be as obvious as listing particular applications or document authors."
