The German Federal Office for Information Security (BSI) has found that an average of more than 2 000 new vulnerabilities are discovered in software every month, of which around 15% are classified as “critical”.
“In view of this constant threat situation, German industry should further strengthen its cyber resilience in 2025,” advises Jan Wendenburg, CEO of OneKey.
OneKey’s “OT+IoT Cybersecurity Report 2024” finds that the industry neglected software security in networked devices, machines and systems last year.
“The industry has a lot of catching up to do in this area in 2025 compared to last year,” says Wendenburg.
According to the study, around two-thirds of companies surveyed believe that cyber security should be improved. A third of them consider the budget allocated to defending against hackers to be “limited”, meaning that more emphasis should be placed on this area.
According to the report, 27% of companies are unsure about the budget situation for cyber security measures. Only 34% of companies surveyed have what they consider to be an “adequate” or even “significant” budget for cyber resilience initiatives.
“The other two thirds should clarify their IT security budget in the new year and increase it quickly,” Wendenburg advises.
As part of the survey, OneKey also wanted to know what measures companies are using to test their cyber resilience. According to the survey, 36% conduct threat assessments; 23% initiate penetration tests; 22% rely on intrusion detection, such as active monitoring of networks; and 15% prefer vulnerability assessments (multiple answers were allowed). Nineteen percent strengthen security through network segmentation, so that a successful intrusion into one segment does not compromise the entire corporate network.
However, the most commonly used measure against cybercriminals in the survey was not technical protection, but legal protection: 38% of companies require their IT service providers and suppliers to contractually guarantee security. Whether this is an effective measure remains questionable, however, as suppliers with “contractually assured security” have also been involved in almost all major security incidents in recent years, such as Cloudflare, Crowdstrike, Cisco and others.
Just under a third (32%) of the companies surveyed have processes in place to learn from security incidents and implement necessary improvements.
“Pre-defined business processes that define how to deal with hacking attacks, both during and after an attack, should be part of every company’s security repertoire,” says Wendenburg. “In view of the ongoing threat situation, every company management should be adequately prepared for the worst-case scenario.”
Just over a third (34%) of organisations make at least some effort to improve security following a hacking incident.
According to the survey, these companies make an effort to thoroughly analyse and evaluate the security incident they have survived and derive improvements in terms of measures to ward off cyber criminals.
However, the report finds that about the same number of companies are more or less helpless in the face of cyber attacks. They are largely unaware of how to deal with attacks on connected devices, machines and systems. 16 percent have not developed operational procedures to learn from cyber attacks and implement necessary improvements.
“Business leaders should put cyber resilience at the top of their agenda for 2025,” Wendenburg concludes.