More than two thirds (67 percent) of industrial organizations do not report cybersecurity incidents to regulators, a new report found.
While remaining compliant in modern industrial business is a necessity and a driver for business investments, there are several factors that influence how a company will follow and report compliance rules, according to Kaspersky’s State of Industrial Cybersecurity 2019 survey.
Due to the growing sophistication of attacks to breach industrial companies, it is necessary to have robust cybersecurity policies in place and maintain the proper ICS regulations. From the General Data Protection Regulation (GDPR) to standards set by the International Electrotechnical Commission (IEC), industrial companies have instituted several requirements for organizations to adhere to.
However, the report found companies are not actively following reporting guidelines. In fact, 52 percent of survey respondents said incidents lead to a violation of regulatory requirements, while 63 percent consider loss of customer confidence due to a breach as a major business concern. Despite their lack of reporting, organizations understand regulatory demands must be met as compliance is the top driver in cybersecurity budget investment strategies for 55 percent of respondents.
Separate from incident reporting, the survey highlights that companies are taking compliance seriously with 21 percent of industrial companies admitting they do not currently comply with mandatory industry regulations. The focus on procedures may be leading companies to become complacent over the quality of the cybersecurity solutions and not taking into account the actual threats: Only 28 percent of respondents identified the threat landscape as a key budget driver.
“Industrial compliance and regulations should not be taken lightly. But it is also very important to keep in mind the real threat landscape that is changing dynamically,” said Georgy Shebuldaev, head of industrial cybersecurity business development at Kaspersky. “An efficient cybersecurity solution in combination with clear policy should help companies achieve the necessary level of protection in accordance with regulatory requirements. Such solutions should contain technology-oriented measures, vulnerability assessment and incident response measures, as well as security awareness initiatives for all employees who work with industrial automation systems.”
This year will be the year of digitalization in OT automation, the report said. Companies will use digital methods to further improve their competitiveness, but this will also bring risks for the business. Although the consequences for OT/ICS cybersecurity are difficult to predict, the report found likely outcomes:
1. OT automation brings increased connections to the Internet
2. OT networks are becoming more sophisticated
3. There are still not enough OT/ICS cybersecurity experts available on the market
4. The number of attacks on OT automation will likely continue to increase
5. Compliance with best practices and cybersecurity standards, such as IEC 62443, will become more important
Click here for more of the Kaspersky State of Industrial Cybersecurity 2019 report.