By Holger Paul
The world is becoming ever more connected - and is thus attracting ever more attackers. Cyberattacks have become one of the biggest dangers facing companies of all kinds, with perpetrators' motives ranging from espionage to blackmail to causing deliberate damage to competitors, perhaps going as far as ruining them. The enormous scale of these attacks all over the world can be seen in numerous reports - or by looking at the website of the American IT infrastructure corporation SonicWall, for example. The summary of global cyberattacks published there makes frightening reading: In the first six months of 2019 alone, the security specialists from SonicWall Capture Labs registered 4.8 billion malware attacks, 8.3 billion phishing attacks and a total of almost 75,000 types of attack that have never been seen before. And that is not all that industry should be concerned about: The figures show the number of attacks specifically on industrial systems and connected IoT devices growing particularly quickly - by 217 percent in 2018 compared to the previous year.
Given these figures, it is even more surprising that so many companies are still failing to take their cyber security seriously enough. This is even the case in mechanical engineering - an industry that is particularly attractive to hackers as a technological advantage translates directly into a customer benefit and thus to new orders. Steffen Zimmermann, Head of the VDMA Competence Center Industrial Security, comes to a sobering conclusion: "80 percent of mechanical engineering companies in Germany do not have sufficient protection." Businesses are aware of the risks, with six out of ten companies expecting attacks to increase over the next few years. "But knowledge of the risks alone is not enough to take decisive action to prevent them," warns Zimmermann. Experts from other sectors agree. "When it comes to cybersecurity, many companies have buried their heads in the sand," says Gilbert Wondracek, Senior Manager Risk Advisory at Deloitte, in his comments on the Cyber Security Report 2019, in which the consulting firm analyzed the situation in Austria. "That is a big mistake. Those who fail to take action in the face of mounting threats will sooner or later become a target. Small companies should be aware of that, too," he warns.
VDMA has also intensively examined these failures and the resulting dangers for the industry in its new study "Industrial Security in Mechanical and Plant Engineering." The discrepancy between theory and practice is enormous: Although more than 80 percent of companies in the German mechanical engineering industry are aware of one of the common security standards, only just over half of them apply it. This is further evidence that smaller companies in particular are hesitant when it comes to seriously enhancing their protection against cyberattacks. It all starts with allocating responsibility. "Almost 60 percent of mechanical and plant engineering companies still do not have an IT security officer in production," complains Zimmermann.
But the damage caused by a successful attack can be enormous. A recent study conducted among IT managers from all over the world by IT security company Radware showed that each successful cyberattack on a company causes estimated damage of 1 million euros on average. This is likely to be significantly underreported, with only few cases as public as that of the Munich-based mechanical engineering corporation KrausMaffei, which was the victim of a ransomware attack that forced it to slow production for several weeks. As well as the direct damage to the attacked computers and servers, companies also have to cope with the subsequent costs: Customers may threaten contractual penalties if deliveries are not made, software at the company may have to be completely replaced, and the company may suffer a loss of reputation that is ultimately difficult to put into figures.
Many companies are at least aware that anonymous hackers from faraway countries are not the only threat. According to the VDMA study, "human error and sabotage" are seen as the greatest threat - including the threat from a company’s own staff, customers and other contacts on site. "That makes it all the more important to define instructions clearly and provide training at the company," explains VDMA expert Zimmermann. But even many companies who do take their cybersecurity seriously are guilty of one cardinal sin: failing to assess the danger correctly by not conducting a proper risk analysis. Other, tougher measures, such as compiling emergency plans, are not taken at all. "But security needs to be demonstrated in a company right from the very top," stresses Zimmermann. "And responsibility for IT security must be clearly assigned." Given the increasing level of threat, experts say there is no question that cybersecurity measures and the associated costs for staff and protective measures pay off. Deloitte expert Wondracek sums it up like this: "Companies that are in a good position on cybersecurity invest more and thus become even more secure."