20 Percent of Companies Fail to Conduct Cybersecurity Audits

More Than a Third of Companies Uncertain About Cyber Resilience Checks

62 percent of the industrial companies surveyed conduct regular cybersecurity audits. Among these, 24 percent rely on external assessments, 18 percent conduct internal assessments, and 20 percent use a hybrid approach that combines internal and external audits.

"For more than a third of the industry, it seems unclear whether or to what extent a regular or even occasional audit of resilience to hacker attacks is carried out," says Jan Wendenburg, surprised at the current approach to one of the greatest threats of our time. Almost a fifth (19 per cent) of respondents admit that they do not conduct any cyber security audits, either internally or externally.

The statistics of the Federal Criminal Police Office (BKA) list almost 135,000 officially reported cases of cybercrime last year and assume that 90 per cent of these are unreported. "That would correspond to more than 4,000 attacks a day," warns the ONEKEY CEO. The German Federal Office for Information Security (BSI) wrote in its status report last year: "The threat from cybercrime is higher than ever before."

Despite the threat situation, less than half of companies (46 per cent) are satisfied with the measures they have taken to protect themselves against cyber criminals, according to the survey. "It's high time to act," warns Jan Wendenburg. He explains: "A first step is to subject the software in all connected devices to a thorough check and uncover any vulnerabilities."

Leveraging a Product Cybersecurity & Compliance Platform for Effective Audits

To address this, ONEKEY operates a Product Cybersecurity & Compliance Platform (PCCP) that thoroughly analyzes the software in industrial control systems and networked devices to identify security vulnerabilities. "Such an audit not only documents the current status but also provides specific recommendations for necessary improvements," explains Jan Wendenburg. He adds, "From 2027, anyone launching a networked electronic product with known exploitable vulnerabilities on the EU market could face fines of up to EUR 15 million. Therefore, documenting security is crucial not only from a technical standpoint but also from a legal and financial perspective."

In the first half of 2024 alone, the US National Institute of Standards and Technology (NIST) published around 15,000 "Common Vulnerabilities and Exposures" (CVEs for short), i.e. security gaps and vulnerabilities in software. "The challenge is huge," says Jan Wendenburg, and explains: "This makes it all the more urgent to swiftly implement the measures necessary to improve cybersecurity in line with legal requirements. Audits and employee training play a key role in this. We recommend including this in the list of good intentions for 2025 – and then implementing them."