Around 75 percent fear loss of reputation, but not even 10 percent protect their assets for this reason
Kaspersky study shows discrepancy: top 3 reasons for protection measures do not match top 3 feared impacts
The most feared damages are financial impact and loss of reputation and customer trust
However, main reasons for cybersecurity measures are protection of business continuity, data and customers
Ingolstadt, 18 November 2022 – The main reasons for implementing cyber protection measures in companies in Germany have little to do with what IT decision-makers actually fear in the event of an attack. This is the result of a recent Kaspersky survey . While most decision-makers choose cyber security measures to protect their data and customers as well as to ensure business continuity, many neglect their gut feeling, which is mainly concerned about financial damage, loss of reputation as well as loss of customer trust as possible effects of a successful cyber attack.
Both small and large companies are increasingly affected by cyber attacks. Thus, a quarter (26.0 percent) of medium-sized and almost two-thirds (59.3 percent) of large companies in Germany have been confronted with more attacks in the past twelve months. Successful attacks can have many effects on the company, as well as on customers and partners.
Almost 75 percent of all decision-makers in companies in Germany (74.0 percent in SMEs and 75.9 percent in large companies) assume that customer confidence is lost in the event of successful attacks. Furthermore, 64.0 percent of SMEs and 80.7 percent of large companies are certain that their reputation would be affected. Furthermore, the majority (66.0 percent of small and 72.4 percent of large companies) are concerned about legal consequences resulting from the GDPR, for example, as well as interruptions in production (52.0 percent of SMEs and 71.0 percent of large companies). This sometimes affects the delivery of defective products; 44.0 percent of small companies and 62.8 percent of large companies fear exactly this.
Finally, all this could additionally affect the relationship with partners and doing business with them. 60.0 percent of small companies fear losing business partners if their own network is successfully attacked, as do 73.8 percent of large companies. Three quarters of all large (75.9 percent) and small companies (72.0 percent) assume that this will have a financial impact.
Heart versus mind: Discrepancy between feared impacts and reasons for protective measures
- While decision-makers are aware of the consequences of a successful supply chain attack, they have other motivations for why they want to protect themselves and their partner companies. The top reasons why companies have taken cybersecurity measures include:
- Protecting their own business: 26.0 per cent of SMEs and 25.5 per cent of large companies
- Protecting customers: 20.0 per cent of SMEs and 15.9 per cent of large companies
- Protection of data: 36.0 percent of SMEs and 27.6 percent of large companies.
- Only a small proportion see the protection of supply chains and partners (2.0 percent and 11.7 percent respectively) and reputation (6.0 percent and 9.7 percent) as valid reasons for security measures.
“Loss of reputation, delivery of defective products or even an interruption in production – all of these are ultimately also financial consequences that can damage the company,” explains Waldemar Bergstreiser, Head of B2B Germany at Kaspersky. “In the worst case scenario, companies have to reckon with a drop in sales and a loss of trust on the part of current partners and customers. However, there is a discrepancy between the feared impact and the main reasons why decision-makers ultimately take cybersecurity measures. Based on the figures from our survey, decision-makers should rather rely on their gut feeling and also protect what worries them most. The best approach is to take a multi-layered approach to cybersecurity, including both technical solutions and expert services – not forgetting, for example, employee training, as cybersecurity awareness.”
Kaspersky recommendations for protecting against cyber attacks on the supply chain
- A detailed list of all suppliers and partners will give companies insight into who has access to internal company data and IT infrastructure and help mitigate potential risks.
- Companies should regularly back up their data to have access to it in case of an attack.
- All servers, workstations, smartphones, tablets and other devices used in different parts of the supply chain should be protected with a robust security solution such as Kaspersky Endpoint Detection and Response .
- Introducing an assessment of partners’ security measures, in terms of a comprehensive audit, can provide guidance on which areas and interfaces need further protection.
- If security vulnerabilities are identified in the supply chain, appropriate measures should be taken and implemented to protect those areas. Services such as Kaspersky Managed Detection and Response  can help in this regard.
- In the event of a successful supply chain attack, the damage caused should be determined. Services such as Kaspersky Incident Response  help prevent the attack from spreading and eliminate it.
- Provide SOC teams with access to the latest threat intelligence through Threat Intelligence  to keep them up to date on threat actors’ tools, techniques and tactics.
- When working with partners, ensure that they have implemented certified security measures. Among the most important of these are compliance with ISO 27001, or a passing SOC2 audit, which confirms that a company’s security controls comply with the American Institute of Certified Public Accountants’ (AICPA) Trust Services Criteria (TSC). For example, in early 2022, Kaspersky renewed its certification to ISO 27001:2013  – the internationally recognised security standard issued by the independent certification body TÜV AUSTRIA. Furthermore, the cybersecurity provider successfully recertified SOC 2 for the second time in May 2022 .
The complete survey “Cybersecurity in Germany’s Supply Chain” is available at https://kas.pr/ce37.
 The survey was conducted by Arlington Research on behalf of Kaspersky in September 2022. It surveyed 195 IT decision-makers in Germany, 41 in Austria and 49 in Switzerland on the topic of supply chain and security. Companies with an annual turnover of less than 100 million euros are defined as medium-sized companies, with a higher turnover as large companies. / https://kas.pr/ce37
Kaspersky study “Cybersecurity in Germany’s Supply Chain”: https://kas.pr/ce37
Kaspersky Endpoint Detection and Response: https://www.kaspersky.de/enterprise-security/endpoint-detection-response-edr
Kaspersky Professional Services: https://support.kaspersky.com/de/corporate/professional_services
Kaspersky Incident Response: https://www.kaspersky.de/enterprise-security/incident-response