While the general confidence in cyber resilience is high, outside suppliers pose a threat to many Danish businesses in the ER&I sectors.
It is beneficial for all businesses to become interconnected, but there are also drawbacks. The survey reminds us that the security of supply chains is always decided by the weakest link. Thus, Danish ER&I businesses struggle to maintain cyber security due to lax approaches by outside suppliers.
What does the survey show?
Overall, when it comes to cyber attacks, the surveyed businesses consider themselves highly resilient. 83% believe they are resilient to a high degree when handling customer data. 68% indicate the same level of cyber security when using cloud services. 65% believe the level of security is high when cooperating with close partners and suppliers. However, it is clear that less integrated outside suppliers pose the greatest threat. In this domain, only 37% of respondents believe they are resilient to a high degree.
Q: To what degree do you feel that your company is resistant to cyber attacks in the following areas...
It is promising to see that the increased focus on the cyber threat has led to an unprecedented awareness of cyber resiliency. To some extent, it is positive that businesses rate their security with confidence in many areas. However, a high level of confidence can also be a double-edged sword.
A more alarming conclusion is that 63% of the respondents feel they are not highly secure in areas of the supply chain that involve business partners and suppliers that are not closely connected to the organisation. This is a trend also seen in the consumer sector.
This causes concern, particularly as many businesses are currently experiencing an increase in attacks that target the supply chain. By attacking the weakest links in the chain, attackers can use the suppliers as entry points to the organisation's main systems. These attacks can be detrimental to any organisation.
In conclusion, it is apparent that businesses in the Danish ER&I sectors are in a maturing phase of cyber security – one in which outsourcing becomes an area of concern.All ER&I businesses need to apply security to the full value chain in order to be secure. If not, engaging with outside suppliers can result in loss of control.
The bigger picture
In the quest to maximise cyber security throughout the entire organisation, a broad focus is important. Recently, however, we have seen examples of the opposite. While cyber security in admin IT has been of concern for years, many organisations lack focus on security in production. Industrial production is typically performed by old legacy systems, which are vulnerable to attacks. Structured and frequent cyber hygiene, including user control, updates of software and hardware, and a requirement to regularly change passwords, significantly increases security of older systems and often it does not cost anything but time.
Anticipating a cyber attack
The NotPetya attack wiped out half of the affected companies' assets in less than two hours. It reminded us that investing in technology, processes and people able to detect cyber attacks is not enough. Today, threat intelligence, threat assessments and crown jewel identification are equally important in order to ensure that you are cyber resilient.