Trellix Report Reveals Key U.S. Critical Infrastructure Providers Lack Advanced Cyber Defenses

Majority of U.S. Providers in Oil & Gas, Healthcare, and State & Local Emergency Services Have Not Implemented Full Cybersecurity Capabilities due to Lack of In-House Cyber Skills

News Highlights

  • 77% of respondents from U.S. state and local governments in charge of emergency services have not fully implemented endpoint detection and response (EDR) and extended detection and response (XDR) solutions
  • 75% of U.S. oil and gas sector survey respondents have not yet fully deployed multifactor authentication (MFA) making remote access to systems much easier for bad actors
  • 74% of U.S. healthcare respondents have not fully implemented software supply chain risk management policies and processes
  • Over half of U.S. critical infrastructure providers in state and local government (51%), oil and gas (55%) blame lack of in-house cyber skills for not fully implementing cybersecurity measures
  • 38% of healthcare respondents favor U.S. government funding to help them improve sector cybersecurity

SAN JOSE, Calif.--()--Trellix, the cybersecurity company delivering the future of extended detection and response (XDR), today released a global Cyber Readiness Report investigating how U.S. critical infrastructure providers are preparing to defend themselves against cyberattacks. The report, based on research conducted by Vanson Bourne, surveyed 900 cybersecurity professionals from organizations with 500 or more employees. Trellix designed its survey to gauge the maturity of advanced cybersecurity implementations among U.S. government agencies, state and local governments and private sector peers responsible for protecting the nation’s critical infrastructure.

Worryingly, the report found that despite high-profile breaches, many critical infrastructure providers, particularly those in U.S. oil and gas, healthcare and state and local governments in charge of emergency services, have not yet fully implemented cybersecurity best practices. For example, three-quarters (75%) of respondents from the oil and gas sector admitted they had not yet fully deployed multifactor authentication, and more than three-quarters (77%) of those non-federal governments in charge of emergency services had not fully rolled out EDR or XDR solutions.

In addition, many critical infrastructure providers reported that they had not fully implemented sufficient supply chain risk management policies and processes, which is a particular concern following the SolarWinds and Microsoft Hafnium breaches in 2020 and 2021. Nearly three-quarters (74%) of healthcare providers admitted this had not been fully implemented.

The study revealed the cybersecurity talent gap is slowing the implementation of defensive technologies despite the current threat landscape, availability of private sector innovations, and greater willingness to invest. The lack of in-house cyber skills were blamed by over half of U.S. non-federal agencies running systems supporting local infrastructure and emergency services (51%) and respondents from the oil and gas sector (55%) for why their cyber defenses were not fully deployed.

“The hostilities in Ukraine have sharpened focus on the cyber readiness of critical infrastructure,” said Bryan Palma, CEO of Trellix. “The risks are known and well-discussed, but often these organizations do not have the cybersecurity talent to implement the necessary defenses. We need to scale security skills to prevent understaffed critical infrastructure from falling victim to cyber-attacks.”

The healthcare sector particularly noted underinvestment as a contributing factor, and two-fifths (38%) favored federal funding to deliver cybersecurity improvements. Critical infrastructure providers also called for the U.S. government to share more threat intelligence, with nearly all (95%) of respondents in the oil and gas industry saying there was room for improvement in the cyber threat data shared by their federal partners.

That said, the report shows the recent U.S. Executive Order on Improving the Nation’s Cybersecurity (EO 14028) could play an important role in strengthening the nation’s cyber defenses. Three-quarters (75%) of respondents anticipate using the EO as justification to obtain funding to meet their objectives. Over three-quarters (79%) of respondents believe that by setting higher cybersecurity standards for federal agency implementations, the government could raise standards for the IT industry and, through it, non-federal government and private sector implementations.

“By raising security requirements in areas such as software development for government implementations, the federal government is in a unique position to influence and raise related standards for the entire software industry,” said Thomas Gann, Chief Public Policy Officer at Trellix. “The Biden Administration has demonstrated constructive, responsible cybersecurity leadership over the last year, and we foresee the existing public-private partnerships as a sound foundation for building policy initiatives in this and other areas.”

The study also gauged the state of technology adoption and public-private collaboration among government and critical infrastructure providers in Australia, France, Germany, India, Japan, and the United Kingdom.

Additional Resources

About Trellix
Trellix is a global company redefining the future of cybersecurity. The company’s open and native extended detection and response (XDR) platform helps organizations confronted by today’s most advanced threats gain confidence in the protection and resilience of their operations. Trellix’s security experts, along with an extensive partner ecosystem, accelerate technology innovation through machine learning and automation to empower over 40,000 business and government customers. More at


Media Contact
Christopher Palm


Media Contact
Christopher Palm