German logistic and trading firms ill prepared for cyber risk
Medium-sized trading and logistics companies are often the target for cybercriminals but are inadequately prepared for these attacks, shows new analysis on IT security commissioned by the German Insurance Association (GDV).
The GDV said that many German medium-sized retail and logistics companies neglect their IT security and become easy targets for hackers. Almost one in four such companies (22%) has already been a victim of cyberattacks, said the insurer body.
Every second company attacked was brought to a standstill and had to restore their IT systems at great expense, the research shows.
The survey was carried out for the GDV by the Forsa Society for Social Research and Statistical Analysis. It involved 300 companies in wholesale and retail trade, as well as those in the transport sector.
“The successful attacks show that IT security in retail and logistics is still very patchy. Those responsible must take more and better protective measures, sensitise employees and forge emergency plans,” said deputy GDV general manager Anja Käfer-Rohrbach.
A security check initiated by the GDV for the research, which involved 19 medium-sized companies, shows that the level of protection is low. IT security consultant Michael Wiesner came across outdated operating systems in two-thirds of the firms. He found vulnerabilities that hackers could use to manipulate data or take over IT systems in almost all (95%) businesses.
In addition, Wiesner was able to access data from employees at every fourth company via phishing mails and fake websites. “Once you have successfully penetrated the IT systems, you can usually take them over completely and manipulate them as you wish,” he warned.
Despite this clear vulnerability, nearly two-thirds (63%) of those surveyed by Forsa believe their business is at low risk. They believe their companies are too small and the data is not interesting for criminals.
Overall, three-quarters (73%) of the companies surveyed believe they are doing enough to protect against cybercrime.
But according to Käfer-Rohrbach, self-assessment does not stand up to reality. “The security problem is often downplayed or deliberately ignored,” she said.
Darknet research also shows how easy it is for hackers. To this end, the GDV commissioned PPI AG to use its cyber risk assessment tool Cysmo to check 1,500 medium-sized companies in retail and logistics. The firm found data from 470 companies (31%) on the dark web. This was often work email addresses and associated passwords that employees had used for private purposes.
“Because many people always use the same or very similar passwords, email/password combinations can easily be exploited by cybercriminals,” warned Käfer-Rohrbach. Companies should therefore set up clear rules for the use of professional email addresses and train their employees accordingly, she said.
Although secure passwords are enforced in most companies and security updates are automatically installed, more than half (52%) of companies surveyed allow employees to use their private devices within their IT ecosystem.
The research also finds that every fourth company (25%) keeps data backed up insecurely. And only 24% meet the ten most important basic IT security requirements. At the same time, many companies are not sufficiently prepared for a successful attack. Some 47% of the companies surveyed had neither an emergency plan nor an agreement with their IT service provider in case of an emergency.