In our dynamic and connected business ecosystem, data breaches are inevitable. But we know that companies can mitigate the damage through processes and protocols to protect their assets. This year, our 2018 Global State of Information Security® Survey shows that industrial product (IP) companies (including manufacturing, chemicals, and automotive) are continuing their efforts to defend against cyber threats. Still, the data point to some areas of weakness.
Over the next 12 months, the sector intends to invest in three major areas of security safeguards:
I see these priorities as a reflection of the sector’s drive to digitize the business ecosystem, while acknowledging the issue of security.
IP companies have already implemented a broad range of cybersecurity safeguards. But only 44% of survey respondents say their corporate boards actively participate in their companies’ overall security strategy. To my mind, that’s a major weakness. Boards can help ensure a company has effective oversight and proactive risk management processes in place and help drive those processes through the organization.
There is also a lot of room for security improvement in the field of cloud computing. IP companies currently have more key business functions in the cloud (especially information technology, marketing and sales, and information security/cybersecurity/privacy) than the overall survey population. Yet spending for cloud governance, risk, and compliance (GRC) remains low, despite the fact that 60% of IP companies have increased spending in the last 12 months. So, while the trend is going in the right direction, cloud computing is still a vulnerable area.
When asked about the number of security incidents in the last 12 months, almost three-quarters of IP companies said they had between 0-50 incidents. Less than one percent said they had more than 100,000 incidents in that time frame. These numbers strike me as low and lead me to believe that cyberattacks are going undetected, leaving companies exposed to further security breaches.
In answer to a question about how the incidents occurred, respondents cited three primary avenues: mobile devices (e.g., smartphone, tablet computer); employees; and phishing. About 80% said they were very or somewhat confident that their organization could correctly identify the source of an attack. The largest impacts of the attacks were the compromise of customer records and loss or damage of internal records.
Overall, in looking at survey results for the sector since 2003, I would say IP companies have become more aware of cyber threats and how to contain them. However, in the last three years, spending has remained mostly constant (with a few exceptions), despite the changes in the business ecosystem that increase the risk of cyber incidents, such as cloud and mobile computing and the Internet of things. Coupled with the fact that companies are reporting relatively few incidents, and the fact that it takes an average of 6-18 months to detect an intrusion, my assumption is that many companies are failing to catch security breaches. Unfortunately, the longer it takes to recognize a breach, the more likely it is to cause damage.
There are no shortcuts to combating cybercrime. If spending levels for cybersecurity programs don’t grow to meet advancing and shifting threats, IP companies may experience increasing disruptions and data and financial losses.