Industrial products companies counter escalating security risks with solid investments in security

Post image for Industrial products companies counter escalating security risks with solid investments in security

February 17, 2015

By Quentin Orr, PwC Principal, Information Security and Privacy

 

You’d have to be living on Pluto to be unaware of the unprecedented surge in targeted cyber threats. The most recent attack demonstrates that adversaries are becoming increasingly skilled—and punishingly malevolent. Risks are rising across sectors, and industrial products companies are by no means exempt. The Global State of Information Security® Survey 2015 found that incidents among industrial products respondents climbed 17% over 2013—and that the financial costs of these compromises compounded at double that rate.

It comes as no surprise that employees are the most-cited culprits of security incidents; they have always been among the top sources. We were a bit startled, however, to see that compromises attributed to competitors more than doubled this year. Increasingly, industrial products executives report that sophisticated international competitors and foreign nation-states are infiltrating their networks to pilfer trade secrets and manufacturing processes. Attacks by these adversaries remain among the least frequent, but they are also among the fastest growing.

This year, for instance, compromises by foreign nation-states and foreign organizations increased 65% over 2013. That worries many executives because nation-states are keenly interested in manufacturing processes and they often attempt to steal trade secrets to advance their own political and economic agendas. The financial losses for industrial products companies can be staggering.

Now for some good news

Not all survey results are unfavorable, however. The best news is that industrial products companies are countering escalating security risks with solid investments in security. In fact, information security budgets have soared more than 150% in the past two years, and security investments grew in 2014 even as overall IT budgets declined. This year, information security outlays represent 6.9% of respondents’ total IT budgets, the highest of any sector in our survey. The fiscal commitment to security suggests that companies are more willing to spend as the economic recovery gains momentum.

We believe that some forward-thinking companies are applying new funding to reshape their cybersecurity programs around a strategic model based on business risk and the value of information assets. A basic tenet of modern information security strategy is that efforts should focus on data that is most important to the business. Survey results show that more industrial products respondents are improving their abilities to identify sensitive assets, classify the business value of that data, and allocate security spending to the most valuable assets.

And in some ways, it’s clear that executive teams are starting to take ownership of cyber risks. Almost three-quarters of respondents task a senior executive with communicating the importance of information security across the entire enterprise, a healthy improvement over last year.

Areas for improvement

In other areas, however, there is room for improvement. Boards need to be more involved. Consider, for instance, that 53% of respondents say their Board of Directors participates in the overall security strategy, yet only 33% are involved in reviews of security and privacy risks. Employee awareness is another area of importance. Because the weakest link in security is often human, an ongoing employee training program is essential to cybersecurity—but only 40% of organizations have employee security-awareness training programs.

The discussion should also extend to external partners, law enforcement, and government agencies. Over the past two years, many organizations have discovered that sharing cyber-threat intelligence and response techniques is advantageous to cybersecurity. Yet our survey showed that industrial products companies lag other sectors in embracing external collaboration.

Business partners under scrutiny

The increasing risks of compromise by third-party vectors warrant a commitment to due diligence of partners and supply chains. As organizations share more data with more interconnected business partners, they should carefully assess the security capabilities of these third parties. We’re seeing some progress. In the past year, respondents have stepped up due diligence of third-party partners by implementing formal security standards and performing risk assessments. Nonetheless, approximately one-third of companies have not addressed these issues.

Comprehensive due diligence is particularly critical for organizations that plan to grow their businesses through mergers and acquisitions. Today, cyber adversaries often infiltrate smaller, less-mature companies and lie in wait for them to be acquired by larger firms. After the two companies’ information systems are integrated, threat actors attempt to gain a foothold on the networks of the acquiring firms to exfiltrate trade secrets and other valuable information.

When embarking on a deal, businesses should understand exactly what they will inherit when they connect their networks with the company they acquire. Today, organizations need to have a mature capability for this type of comprehensive due diligence. It is becoming a requirement for the deals—and cybersecurity—of tomorrow.

Originally published on PwC’s Cybersecurity blog on Jan 29, 2015.

 

Print Friendly, PDF & Email

Previous post:

Next post: