Kaspersky's State
of Industrial Cybersecurity 2019
survey has discovered more than two thirds (67%) of
industrial organizations do not report cybersecurity incidents to regulators.
While remaining compliant in modern industrial business is a necessity and a
driver for business investments, there are several factors that influence how a
company will follow and report compliance rules.
Due to the growing sophistication of attacks to breach
industrial companies, it is necessary to have robust cybersecurity policies in
place and maintain the proper ICS regulations. From the General Data Protection
Regulation (GDPR) to standards set by the International Electrotechnical
Commission (IEC), industrial companies have instituted several requirements for
organizations to adhere to.
Kaspersky's report shows that many companies are not
actively following reporting guidelines, perhaps to avoid regulatory
punishments and public disclosure that can harm their reputation. In fact, more
than half (52%) of survey respondents said that incidents lead to a violation
of regulatory requirements, while 63% consider loss of customer confidence due
to a breach as a major business concern. Despite their lack of reporting,
organizations understand that regulatory demands must be met as compliance is
the top driver in cybersecurity budget investment strategies for 55% of
respondents.
Separate from incident reporting, the survey highlights that
companies are taking compliance seriously with just over a fifth (21%) of
industrial companies admitting that they do not currently comply with mandatory
industry regulations. The focus on procedures may be leading companies to
become complacent over the quality of the cybersecurity solutions and not
taking into account the actual threats: only 28% of respondents identified the
threat landscape as a key budget driver.
"Industrial compliance and regulations should not be
taken lightly. But it is also very important to keep in mind the real threat
landscape that is changing dynamically," said Georgy Shebuldaev, head
of industrial cybersecurity business development at Kaspersky. "An
efficient cybersecurity solution in combination with clear policy should help
companies achieve the necessary level of protection in accordance with
regulatory requirements. Such solutions should contain technology-oriented
measures, vulnerability assessment and incident response measures,
as well as security awareness initiatives for all employees who work with
industrial automation systems."
To learn more about the Kaspersky Industrial
CyberSecurity portfolio, please visit the
website. The full Kaspersky State of Industrial
Cybersecurity 2019 report can be found
here.