The results show that 79 percent of companies rate the current threat situation as growing to strongly growing. Against this background, the German government launched the IT Security Act 2.0 in 2021 to protect the public from cyberattacks and their consequences. As of May 1, 2023, affected companies must demonstrate the use of attack detection systems in their IT infrastructure, which is essential to maintain critical utility services. Although such a system is not mandatory for other areas, 71 percent of the CRITIS companies surveyed plan to establish corresponding attack detection systems in office IT. Twenty-one percent have already introduced such a system in full, both in the mandatory areas and beyond. Forty-five percent of respondents plan to introduce it this year and around a third (33 percent) in the next one to three years.
Prevention against cyber risks often fails due to lack of competence
59 percent of the companies surveyed rate themselves as competent to very competent in the mandatory reporting of security incidents to the Federal Office for Information Security (BSI), 56 percent in the prevention of cyber risks. For over 40 percent of the companies in each case, there is thus still room for improvement with regard to the implementation of the legal obligation to report security incidents to the BSI. Every second company surveyed (50 percent) estimates that IT security incidents would lead to sensitive and critical data being compromised. Forty-five percent fear the loss of assets relevant to the community in the event of an incident, and 46 percent fear lost revenue.
Lack of IT specialists remains biggest challenge
More than one in two CRITIS organizations (59 percent) see a shortage of skilled IT staff as one of their biggest challenges over the next two years. These skilled personnel are lacking to cope with the adjustments and implementation of regulations and requirements. Another pain point for 44 percent of respondents is network vulnerability assessment, which is, however, essential for further measures to increase defense against cyberattacks. Other challenges, at 30 percent, include securing critical components in the Internet of Things (IoT) or Industry Control Systems (ICS), commissioning necessary security solutions (28 percent) and providing evidence of information security (23 percent).
About the study:
The study "attack detection in critical infrastructure companies – How German CRITIS companies are dealing with increasing IT and OT risks" was conducted by techconsult in January 2023. Using a structured questionnaire, 121 CRITIS companies in Germany were surveyed across all industries.
All results of the study can be found under the following link: https://www.secunet.com/studie-2023-angriffserkennung-in-unternehmen-kritischer-infrastrukturen
