To maintain trust and benefit from the digital enterprise, small and medium-sized companies must become proactive and raise their game in cyber security.
“It is time to stop being naive when it comes
to cyber security.” These were the words spoken by Jim Hagemann Snabe, who was chairman
of A.P. Møller-Mærsk when the company suffered a debilitating cyberattack in
2017. Today, Mr. Snabe is also Chairman of the Supervisory Board of Siemens AG and
he warns that being ‘average’ with regard to cyber security is not good enough. Businesses that
fail to improve will get caught out, regardless of their size.
Cyberattacks on companies have been increasing
in number and sophistication, and this trend is expected to continue and even get
worse in the future. According to Germany’s Federal Ministry for Information
Security (BSI), some 70 percent of German companies experienced cyberattacks within
two years. The total costs amount to tens of billions of euros a year.
What’s more, around half of those cyberattacks
were successful. This means the attackers succeeded in gaining access to IT networks,
influencing the function of IT systems, for example, or manipulating company
websites. And one in two successful attacks led to costly shutdowns of
production or operations, in addition to the cost of investigating what happened,
repairing affected systems, and possible contractual penalties for delays.
A threat to all
The threat to cyber security affects all
companies, not just the big ones. In fact, small and medium-sized enterprises
(SMEs) are increasingly seen as ‘easy’ targets, lacking the resources and
expertise that large corporations can call on to defend themselves. And this
impression seems to be fully justified: A recent survey by Germany’s Mechanical
Engineering Industry Association (VDMA) found that 43 percent of responding
companies still lacked even the ability to detect if a cyberattack had taken
place.
In the rush to digitalize and reap the rewards of Industry 4.0, there is a danger that particularly smaller companies may overlook or underestimate the risks. Given the potentially immense cost of a security breech, SMEs cannot afford to be complacent. They must be proactive in preventing attacks in the first place, especially as increasing integration in production is likely to open up new vulnerabilities.
An important aspect of this is an open exchange of information, because as security threats evolve, measures must be kept up to date. Despite understandable embarrassment or concerns about a loss of prestige, security measures can be improved if companies are prepared to speak openly about problems they’ve encountered and how they dealt with them
One careless click may be all it takes
The best defense companies have is perhaps
awareness of the dangers, because the greatest vulnerability most companies
have is people – their own employees.
The BSI estimates the main cyber threat to
businesses now comes from what’s collectively called ‘social engineering and
phishing’. This refers to a scenario in which employees are tricked into
revealing passwords and other sensitive information.
We’re not talking about primitive spam mails
anymore – but detailed, customized reproductions of real websites and emails
that look and sound authentic. Only a high level of vigilance will detect that
these are fakes. While many may be inclined to dismiss this possibility, consider
that hacking into a network these days is difficult and risky – it is much
easier to fool an unsuspecting human being. And even sophisticated IT defenses
may be powerless against a careless employee.
Clearly then, alongside the technical defense
measures companies require, awareness raising and training must be a top
priority so that employees get better at recognizing potential dangers.
Get a head start
No industrial company, big or small, can afford
to ignore the cyber threat. While the larger corporations, not surprisingly,
tend to be further along in this regard, higher security standards are sure to trickle
down and spread throughout industries.
Compliance pressure will come not just from
stricter legal requirements, but increasingly from customer expectations. Having
raised their own security standards, the big industry players are pushing their
suppliers and service providers in the same direction.
This development potentially makes cyber security
a factor in competitiveness. On the other hand, budgetary constraints mean IT
departments must invest carefully and find solutions customized to individual
needs.
In the digital future that everyone is striving to be a part of, the trend is going toward greater integration, with more and more autonomous processes. But this can only happen if SMEs – and their customers – have full confidence in their cyber security.
Source for statistics: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2018.pdf?__blob=publicationFile&v=6
Source for Snabe quote:
https://www.heise.de/newsticker/meldung/Nach-NotPetya-Angriff-Weltkonzern-Maersk-arbeitete-zehn-Tage-lang-analog-3952112.html