- “OT+IoT Cybersecurity Report”: Companies have too little budget for cybersecurity
- Jan Wendenburg, CEO ONEKEY: “Companies should be prepared for cyber incidents.”
- ONEKEY at Embedded World 2025: Hall 5, Booth 5-376
DUESSELDORF– The German Federal Office for Information Security (BSI) has found that an average of more than 2,000 new vulnerabilities are discovered in software every month, of which around 15 percent are classified as “critical”. “In view of this constant threat situation, German industry should further strengthen its cyber resilience in 2025,” advised Jan Wendenburg, CEO of the Duesseldorf-based cybersecurity company ONEKEY. He is referring to his company’s “OT+IoT Cybersecurity Report 2024”, according to which the industry neglected software security in networked devices, machines and systems last year. “The industry has a lot of catching up to do in this area in 2025 compared to last year,” said Jan Wendenburg. The report on security in operational technology (OT) and Internet of Things (IoT) devices is based on a survey of 300 industry executives: https://www.onekey.com/resource/ot-iot-cybersecurity-report-2024
According to the study, around two-thirds of companies surveyed believe that cyber security should be improved. A third of them consider the budget allocated to defending against hackers to be “limited”, meaning that more emphasis should be placed on this area. According to the report, 27% of companies are unsure about the budget situation for cyber security measures. Only 34% of companies surveyed have what they consider to be an “adequate” or even “significant” budget for cyber resilience initiatives. “The other two thirds should clarify their IT security budget in the new year and increase it quickly,” ONEKEY CEO Jan Wendenburg recommended for 2025.
Most Companies Rely on Contractual Security Measures
As part of the survey, ONEKEY also wanted to know what measures companies are using to test their cyber resilience. According to the survey, 36 percent conduct threat assessments, 23 percent initiate penetration tests, 22 percent rely on intrusion detection, i.e. active monitoring of networks, and 15 percent prefer vulnerability assessments (multiple answers were allowed). 19% strengthen security through network segmentation, so that a successful intrusion into one segment does not compromise the entire corporate network.
However, the most commonly used measure against cybercriminals in the survey was not technical protection, but legal protection: 38 percent of companies require their IT service providers and suppliers to contractually guarantee security. Whether this is an effective measure remains questionable, however, as suppliers with “contractually assured security” have also been involved in almost all major security incidents in recent years, such as Cloudflare, Crowdstrike, Cisco and others.
Just under a third (32 percent) of the companies surveyed have processes in place to learn from security incidents and implement necessary improvements. “Pre-defined business processes that define how to deal with hacking attacks, both during and after an attack, should be part of every company’s security repertoire,” said Jan Wendenburg. He explained: “In view of the ongoing threat situation, every company management should be adequately prepared for the worst-case scenario.”
Jan Wendenburg: “Cyber Resilience Should Top the 2025 Agenda.”
Just over a third (34 percent) of organizations make at least some effort to improve security following a hacking incident. According to the survey, these companies make an effort to thoroughly analyse and evaluate the security incident they have survived and derive improvements in terms of measures to ward off cyber criminals. However, the “OT+IoT Cybersecurity Report” finds that about the same number of companies are more or less helpless in the face of cyber attacks. They are largely unaware of how to deal with attacks on connected devices, machines and systems. 16 percent have not developed operational procedures to learn from cyber attacks and implement necessary improvements.
“Business leaders should put cyber resilience at the top of their agenda for 2025,” recommended Jan Wendenburg.
Visit ONEKEY at the Embedded World 2025
Learn more about ONEKEY’s OT and IoT security solutions at Embedded World 2025. ONEKEY will be present with a booth: Hall 5, booth 5-376. For more information please visit our event page: https://www.onekey.com/resource/embeddedworld2025
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of The automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
The patent-pending, integrated Compliance Wizard™ already covers the EU Cyber Resilience Act (CRA) and requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.
The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform (OCP) and ONEKEY Cybersecurity Experts.
Contact us: ONEKEY GmbH,
Kaiserswerther Str. 45, 40477 Duesseldorf, Germany,
Sara Fortmann, e-mail: sara.fortmann@onekey.com,
website: https://onekey.com
