Manufacturers “rely on yesterday’s security practices to combat today’s threats.” That was the finding from a new survey from PricewaterhouseCoopers (PwC).
While manufacturers think they’re doing a better job safeguarding data, breaches are increasing, the survey said. That means companies have made security improvements, they have not kept pace with today’s sophisticated attackers.
“Executives in the global industrial products industry are heeding the need to fund enhanced security activities and have substantially improved technology safeguards, processes, and strategies,” the study said.
While companies have hiked their security, “their adversaries have done better,” the survey said. Security incidents are up, and are becoming more costly. “Hot-button technologies like cloud computing, mobility, and BYOD are implemented before they are secured,” the study said, noting “many executives are hesitant to share security intelligence with others, forgoing a powerful offensive tool against targeted, dynamic attacks.”
The survey, conducted online in early 2013, compiled responses from more than 9,600 executives and directors of IT and security in 115 countries.
Among the 671 industrial products respondents who participated, the study found 46 percent believe they have “an effective strategy in place” and are “proactive in executing the plan,” an increase of 14 percent from last year.
However, only 15 percent of those respondents said they were knowledgeable about their security strategy, employed a CISO or equivalent who reports to the C level or legal counsel, had “measured and reviewed the effectiveness of security within the past year,” and understood the security events that occurred to them in the past year.
Money doesn’t seem to be a problem. Budgets for industrial products security among manufacturers averaged $4 million this year, a significant improvement over $2 million last year, and the highest increase in several years, the study found.
Survey responses found the use of basic security programs are at “an all-time high,” with application firewalls, malware or virus-protection software, encryption of desktop PCs and Web content filters the most widely-used tactics. But given the jump in security incidents, they may very well be outdated.
Simply spending more on security apparently isn’t the answer. “Average financial losses reported by industrial products companies are up 64 percent over last year,” and “losses of $10 million or more doubled over 2012,” as did the loss or damage of internal records, the study found.
The most likely sources of security incidents are current employees (estimated to be responsible for 33 percent of all security incidents) and past employees (24 percent). It can be argued that there isn’t much a company can do to ensure protection against inside threats from determined, knowledgeable employees — which makes it all the more important to guard against attacks from such outsiders as hackers, competitors, and organized crime.
The study recommended:
• Implement security safeguards that monitor data and assets. They’re not widely used among industrial manufacturers, but can “provide ongoing intelligence into ecosystem vulnerabilities and dynamic threats.”
• Know what needs protection. Identify and carefully protect your most important assets. Strangely, using basic policies to safeguard intellectual property was found to be actually declining.
• Upgrade mobile security. This includes smart phones, tablets, and employees’ personal devices used for work: “Industrial products respondents’ efforts to implement mobile security do not show significant gains over last year and continue to trail the growing use of mobile devices.”
• Rethink cloud security. The study found while 61 percent of all companies report that technology has improved security, only 19 percent include provisions for cloud in their security policy.
• Set security standards for external partners. While only 58 percent of industrial products manufacturers currently do this, the study found 68 percent of leaders in the sectors demand security standards for partners.