Though manufacturers think they’re doing a better job safeguarding data, cybersecurity breaches are increasing. So says a PricewaterhouseCoopers (PwC) study, which finds that “while organizations have made significant security improvements, they have not kept pace with today’s determined adversaries.”
The report adds that many manufacturers “rely on yesterday’s security practices to combat today’s threats.”
The news isn’t all bad. “Executives in the global industrial products industry are heeding the need to fund enhanced security activities and have substantially improved technology safeguards, processes, and strategies,” the study finds, adding that “budgets are rising and confidence is high.”
But the bad news is that as much as companies have done to improve security, “their adversaries have done better.” Security incidents are up, and are becoming more costly. “Hot-button technologies like cloud computing, mobility, and BYOD are implemented before they are secured,” the study says, noting that “many executives are hesitant to share security intelligence with others, forgoing a powerful offensive tool against targeted, dynamic attacks.”
The survey, conducted online in early 2013, compiled responses from more than 9,600 executives and directors of IT and security in 115 countries.
Among the 671 industrial products respondents who participated, the study found that 46 percent believe they have “an effective strategy in place” and are “proactive in executing the plan,” an increase of 14 percent from last year. But only 15 percent of those respondents said they were knowledgeable about their security strategy, employed a CISO or equivalent who reports to the C level or legal counsel, had “measured and reviewed the effectiveness of security within the past year,” and understood the security events that occurred to them in the past year.
Money doesn’t seem to be a problem. Budgets for industrial products security among manufacturers averaged $4 million this year, a significant improvement over $2 million last year, and the highest increase in several years, the study found.
Survey responses indicated that the use of “block and tackle” security programs are at “an all-time high,” with application firewalls, malware or virus-protection software, encryption of desktop PCs and Web content filters the most widely-used tactics. But given the jump in security incidents, they may very well be outdated.
Simply spending more on security apparently isn’t the answer. “Average financial losses reported by industrial products companies are up 64 percent over last year,” and “losses of $10 million or more doubled over 2012,” as did the loss or damage of internal records, the study found.
The most likely sources of security incidents are current employees (estimated to be responsible for 33 percent of all security incidents) and past employees (24 percent). It can be argued that there isn’t much a company can do to ensure protection against inside threats from determined, knowledgeable employees — which makes it all the more important to guard against attacks from such outsiders as hackers, competitors, and organized crime.
So what does the study recommend as a course of action?
- Implement security safeguards that monitor data and assets. They’re not widely used among industrial manufacturers, but can “provide ongoing intelligence into ecosystem vulnerabilities and dynamic threats.”
- Prioritize your “crown jewels.” Identify and carefully protect your most important assets. Strangely, using basic policies to safeguard intellectual property was found to be actually declining.
- Upgrade mobile security. This includes smart phones, tablets, and employees’ personal devices used for work: “Industrial products respondents’ efforts to implement mobile security do not show significant gains over last year and continue to trail the growing use of mobile devices.”
- Rethink cloud security. The study found that while 61 percent of all companies report that technology has improved security, only 19 percent include provisions for cloud in their security policy.
- Set security standards for external partners. While only 58 percent of industrial products manufacturers currently do this, the study found that 68 percent of leaders in the sectors demand security standards for partners.
Other recommendations include: having a written security policy and back-up and recovery or business continuity plans; physical access restrictions to records containing personal data; an accurate inventory of where personal data of employees and customers is collected, transmitted, and stored (including third parties that handle that data); and, of course, obtaining buy-in for increased attention to security from the CEO.
In summary, the study notes that to improve, companies need to anticipate security threats and be aware of vulnerabilities — because today’s threats demand today’s security.