Study on Industrial Security Cyber Resilience of Companies is Increasing—No Reason for All-Clear

Related Vendors

VDMA e.V. Software und Digitalisierung IT@Automation

FAULHABER Drive Systems

A new VDMA study shows: For the first time, social engineering and phishing represent the biggest cyber threats to companies, followed by human error and sabotage.

Companies in the machinery and plant engineering sector have significantly improved their cyber resilience. Nevertheless, cyberattacks cause damage in the hundreds of millions every year. Against this background, the VDMA's Software and Digitalization Association, in collaboration with Fraunhofer AISEC, has conducted the study "Industrial Security" again. The results show: companies' cyber resilience is growing— but there is still a need for action, especially for smaller businesses.

"Of course, the result is progress, but no reason to give the all-clear yet. Especially small and medium-sized enterprises must be specifically supported," says Maximilian Moser, VDMA Software and Digitalization. Especially small and medium-sized enterprises must be specifically supported," says Maximilian Moser, security expert in VDMA Software and Digitalization.

More Attacks—Less Impact

Although the number of cyberattacks has increased compared to the 2019 study, the surveyed companies have since established significantly more effective protective measures. Only 55 percent of companies now report negative impacts from security incidents—a decrease of nearly 70 percent compared to 2019. Production outages (29 percent) and capital damages (32 percent) are particularly common consequences. A positive development: In the past two years, there have been no safety-critical incidents that endangered people or the environment.

For the first time, social engineering and phishing represent the biggest threat to companies, followed by human error and sabotage. This shows that while companies are increasingly confident in their technical security measures, they must continue to invest in awareness and training of their employees.

Increasing Demands due to Regulation

Regulatory requirements such as the Cyber Resilience Act (CRA) and the NIS2 directive, which aim to increase cybersecurity in the European Union, now directly affect two-thirds of companies. Nevertheless, the study shows that especially small and medium-sized enterprises (SMEs) are not yet sufficiently prepared for these requirements. 30 percent of SMEs do not know whether they are affected. There is an urgent need for information and support here.

Cyber Resilience Act

Three immediate measures for companies

The study also shows that more and more companies are embedding responsibility for industrial security internally. 88 percent of the surveyed companies rely on their own staff, with only 12 percent commissioning external service providers. There are particularly notable advancements in the production environment: 61 percent of companies have established risk management—a significant increase from 41 percent in 2019. However, there is still much to be done, especially for small businesses.

Support Sought

The results clearly show that companies primarily seek support from industry associations like the VDMA. 85 percent of respondents see this as the most important point of contact to learn about security strategies, best practices, and regulatory requirements. VDMA supports companies with practical guides, training, and networking opportunities to further strengthen security and resilience in the industry.