By 
- “OT+IoT Cybersecurity Report”: Companies have too little budget for cybersecurity
- Jan Wendenburg, CEO ONEKEY: “Companies should be prepared for cyber incidents.”
- ONEKEY at Embedded World 2025: Hall 5, Booth 5-376
The German Federal Office for Information Security (BSI) has found that an average of more than 2,000 new vulnerabilities are discovered in software every month, of which around 15 percent are classified as “critical”.
RELATED: Growing complexity in cyberspace primes global cybersecurity outlook for 2025
“In view of this constant threat situation, German industry should further strengthen its cyber resilience in 2025,” advised Jan Wendenburg, CEO of the Duesseldorf-based cybersecurity company ONEKEY. He is referring to his company’s “OT+IoT Cybersecurity Report 2024”, according to which the industry neglected software security in networked devices, machines and systems last year. “The industry has a lot of catching up to do in this area in 2025 compared to last year,” said Jan Wendenburg. The report on security in operational technology (OT) and Internet of Things (IoT) devices is based on a survey of 300 industry executives: https://www.onekey.com/resource/ot-iot-cybersecurity-report-2024
According to the study, around two-thirds of companies surveyed believe that cyber security should be improved. A third of them consider the budget allocated to defending against hackers to be “limited”, meaning that more emphasis should be placed on this area. According to the report, 27% of companies are unsure about the budget situation for cyber security measures. Only 34% of companies surveyed have what they consider to be an “adequate” or even “significant” budget for cyber resilience initiatives. “The other two thirds should clarify their IT security budget in the new year and increase it quickly,” ONEKEY CEO Jan Wendenburg recommended for 2025.
Most Companies Rely on Contractual Security Measures
As part of the survey, ONEKEY also wanted to know what measures companies are using to test their cyber resilience. According to the survey, 36 percent conduct threat assessments, 23 percent initiate penetration tests, 22 percent rely on intrusion detection, i.e. active monitoring of networks, and 15 percent prefer vulnerability assessments (multiple answers were allowed). 19% strengthen security through network segmentation, so that a successful intrusion into one segment does not compromise the entire corporate network.
However, the most commonly used measure against cybercriminals in the survey was not technical protection, but legal protection: 38 percent of companies require their IT service providers and suppliers to contractually guarantee security. Whether this is an effective measure remains questionable, however, as suppliers with “contractually assured security” have also been involved in almost all major security incidents in recent years, such as Cloudflare, Crowdstrike, Cisco and others.
Just under a third (32 percent) of the companies surveyed have processes in place to learn from security incidents and implement necessary improvements. “Pre-defined business processes that define how to deal with hacking attacks, both during and after an attack, should be part of every company’s security repertoire,” said Jan Wendenburg. He explained: “In view of the ongoing threat situation, every company management should be adequately prepared for the worst-case scenario.”
Jan Wendenburg: “Cyber Resilience Should Top the 2025 Agenda.”
Just over a third (34 percent) of organizations make at least some effort to improve security following a hacking incident. According to the survey, these companies make an effort to thoroughly analyse and evaluate the security incident they have survived and derive improvements in terms of measures to ward off cyber criminals. However, the “OT+IoT Cybersecurity Report” finds that about the same number of companies are more or less helpless in the face of cyber attacks. They are largely unaware of how to deal with attacks on connected devices, machines and systems. 16 percent have not developed operational procedures to learn from cyber attacks and implement necessary improvements.
“Business leaders should put cyber resilience at the top of their agenda for 2025,” recommended Jan Wendenburg.
