2021

Energy, Resources & Industrials Cyber Survey

In Deloitte's Energy, Resources and Industrials Cyber Survey, we assess the cyber resiliency and maturity of Danish corporations within energy, resources and industrials (ER&I). Read the full report below.

Editorial

Businesses in the Danish ER&I sector are on a journey towards maturity in cyber security. Slowly but surely the matter is becoming an integral part of company mindsets. Although many security areas lack the necessary attention and shortcomings are easy to point out, Danish ER&I businesses have taken a giant leap towards cyber security within the past years.

In this survey, we investigate the Danish ER&I sectors’ ability to respond to threats from the current cyber security landscape. Besides unique insights into the cyber security practices in the sector, our survey reveals three major trends:

The cyber security threat has increased significantly. There is an overwhelming consensus that cyber criminals are targeting Danish ER&I businesses with increasingly sophisticated strategies and resources, and COVID-19 has added fuel to the fire. However, our survey reveals that Danish ER&I businesses lack critical defense mechanisms to mitigate the consequences of an attack. Thus, many Danish ER&I businesses display incongruities between the perceived threat level and the strength of cyber defenses, leaving the door open for criminal breaches of crucial systems.

Cyber is climbing the agenda of top management. The increased threat level and the devastating ramifications of a successful attack have forced cyber security onto the boardroom agenda – but not yet as a top priority. Going forward, it is critical that leadership takes the time to receive regular input from IT security professionals. If not, decisions on budget, risk and security level are at risk of being underprioritized.

Suppliers pose the greatest security risk. Danish ER&I businesses must actively monitor countless threats to their systems. But the survey’s data indicates that the biggest risk is presented by suppliers not closely connected to the organisation. Thus, outsourcing takes center stage as an area of concern, underscoring the need to apply security measures to the full value chain.

In summary, the cyber security efforts of Danish ER&I businesses leave ample room for improvement. But the progress shown by the sector lights way forward when upgrading the effort.

We hope you find this survey interesting. Please do not hesitate to contact us for further information.

Methodology

The Energy, Resources and Industrials Cyber Survey is based on 76 quantitative CATI interviews with Chief Information Security Officers (CISOs), Chief Information Officers (CIOs) and cyber security managers employed with Danish ER&I businesses. In this case, an ER&I business is defined as a company operating in either the power and utilities sector, the mining and metals sector, the oil, gas and chemicals sector, or the industrial products and construction sector. The quantitative interviews were conducted by Epinion in August 2020 on behalf of Deloitte. Deloitte has concurrently conducted qualitative interviews with CIOs, CISOs and the like from Danish ER&I businesses.

These interviews have since been anonymised and will appear as quotes throughout the report.

The survey questions were formulated by Deloitte Denmark’s Cyber Risk unit, which also conducted the qualitative interviews. The telephonic survey, as well as the qualitative interviews, were originally conducted in Danish and have since been translated into English. The overall purpose of the survey is to examine Danish Energy, Resources and Industrials businesses’ cyber resiliency, maturity and risk level in the current cyber landscape.

Contact us

Serdar Cabuk

Partner

Kim Schlyter

Partner