The German Federal Office for Information Security (BSI) has found that an average of more than 2,000 new vulnerabilities are discovered in software every month, of which around 15 percent are classified as “critical.”
“In view of this constant threat situation, German industry should further strengthen its cyber resilience in 202,” said Jan Wendenburg, CEO of the Duesseldorf-based cybersecurity company Onekey.
Onekey recently released the findings of its “OT+IoT Cybersecurity Report 2024.” According to the report, the industry neglected software security in networked devices, machines and systems last year. The report on security in operational technology (OT) and Internet of Things (IoT) devices is based on a survey of 300 industry executives. https://www.onekey.com/resource/ot-iot-cybersecurity-report-2024
According to the study, around two-thirds of companies surveyed believe that cybersecurity should be improved. A third of them consider the budget allocated to defending against hackers to be “limited,” meaning that more emphasis should be placed on this area.
According to the report, 27% of companies are unsure about the budget situation for cybersecurity measures. Only 34% of companies surveyed have what they consider to be an “adequate” or even “significant” budget for cyber resilience initiatives.
As part of the survey, Onekey also wanted to know what measures companies are using to test their cyber resilience. According to the survey, 36 percent conduct threat assessments, 23 percent initiate penetration tests, 22 percent rely on intrusion detection, i.e. active monitoring of networks, and 15 percent prefer vulnerability assessments (multiple answers were allowed). About 19% strengthen security through network segmentation, so that a successful intrusion into one segment does not compromise the entire corporate network.
However, the most commonly used measure against cybercriminals in the survey was not technical protection, but legal protection—38 percent of companies require their IT service providers and suppliers to contractually guarantee security. Whether this is an effective measure remains questionable, however, as suppliers with “contractually assured security” have also been involved in almost all major security incidents in recent years, such as Cloudflare, Crowdstrike, Cisco and others.
Just under a third (32 percent) of the companies surveyed have processes in place to learn from security incidents and implement necessary improvements.
“Business leaders should put cyber resilience at the top of their agenda for 2025,” added Wendenburg.
Just over a third (34 percent) of organizations make at least some effort to improve security following a hacking incident. According to the survey, these companies make an effort to thoroughly analyze and evaluate the security incident they have survived and derive improvements in terms of measures to ward off cyber criminals. However, the finds that about the same number of companies are more or less helpless in the face of cyber attacks. They are largely unaware of how to deal with attacks on connected devices, machines and systems. Finally, 16 percent have not developed operational procedures to learn from cyber attacks and implement necessary improvements.