ONEKEY's 'OT+IoT Cybersecurity Report 2024' notes limited focus on software security in devices.
The German Federal Office for Information Security (BSI) has found that over 2,000 new vulnerabilities are discovered in software each month on average, with around 15% classified as ‘critical’. “In view of this constant threat situation, German industry should further strengthen its cyber resilience in 2025,” advised Jan Wendenburg, CEO of the Duesseldorf-based cybersecurity company ONEKEY. Referring to the company’s “OT+IoT Cybersecurity Report 2024,” he noted that the industry did not prioritize software security in networked devices, machines and systems last year. “The industry has a lot of catching up to do in this area in 2025 compared to last year,” said Jan Wendenburg. The report on security in operational technology (OT) and Internet of Things (IoT) devices is based on a survey of 300 industry executives.
The study reveals that about two-thirds of companies surveyed recognize a need to enhance cybersecurity measures. One-third of respondents view the budget for defending against hackers as insufficient, highlighting a need for increased focus in this area. Additionally, 27% of companies are unsure about the budget allocation for cybersecurity measures. Only 34% report having what they consider to be a sufficient or substantial budget for cybersecurity initiatives. “The other two-thirds should clarify their IT security budget in the new year and increase it quickly,” ONEKEY CEO Jan Wendenburg recommended for 2025.
Common Measures Companies Use to Test Cyber Resilience
As part of the survey, ONEKEY sought to understand the measures companies use to test their cyber resilience. According to the survey, 36% conduct threat assessments, 23% initiate penetration tests, 22% use intrusion detection systems for active network monitoring, and 15% carry out vulnerability assessments (multiple answers were allowed). Additionally, 19% enhance security through network segmentation, ensuring that an intrusion in one segment does not affect the entire corporate network.
According to the survey, the most commonly used measure against cybercriminals was not technical protection, but legal protection: 38% of companies require their IT service providers and suppliers to contractually guarantee security. The effectiveness of this approach is uncertain, as suppliers with ‘contractually assured security’ have been linked to several security incidents in recent years, including those involving companies like Cloudflare, Crowdstrike, and Cisco.
Additionally, about 32% of surveyed companies surveyed have established processes to analyze security incidents and implement improvements. “Pre-defined business processes that define how to deal with hacking attacks, both during and after an attack, should be part of every company’s security repertoire,” said Jan Wendenburg. He explained: “In view of the ongoing threat situation, every company management should be adequately prepared for the worst-case scenario.”
Jan Wendenburg: “Cyber Resilience Should Top the 2025 Agenda.”
Just over a third (34%) of organizations take steps to improve security after a hacking incident. According to the survey, these companies analyze and evaluate the security incidents they experience and implement improvements to strengthen their cybersecurity measures. However, the “OT+IoT Cybersecurity Report” reveals that a similar number of organizations struggle to respond effectively to cyberattacks. Many lack adequate strategies for addressing attacks on connected devices, machines, and systems. 16% have not developed operational procedures to learn from cyberattacks and implement necessary improvements.
“Business leaders should put cyber resilience at the top of their agenda for 2025,” recommended Jan Wendenburg.
Edited by Puja Mitra, WTWH Media, for Control Engineering, from an ONEKEY news release.
