1. Companies have to rise to the challenge of rapidly improving their security level
2. The production process and products in ever-growing numbers join traditional IT systems at the heart of threat scenarios
3. Companies need to increase security by identifying risks and assigning ownership of cyber-issues in development and production
4. Roland Berger experts recommend five specific steps to take to improve corporate protection against cyber-crime
5. Management must be clear on its responsibility to assure the cyber-security of its products

Munich, March 4, 2015

The digitization of processes and products continues unabated as part of the fourth industrial revolution. Players from sectors as diverse as the automotive, consumer goods, chemicals and aerospace industry are increasingly reliant on digital processes to store and to share important data internally and with external suppliers. While this makes for faster and more efficient production processes, it does increase the risk of companies falling prey to online attacks. Data protection is therefore becoming an ever more complex, time consuming and costly business for companies. These are some of the aspects examined in the latest study by Roland Berger Strategy Consultants: "Cyber-security. Managing the threat scenarios in manufacturing companies".

"Dealing with hacking attacks is a huge problem, with different parts of the value chain often coming under attack simultaneously," explains Roland Berger Partner Manfred Hader. "The trouble is, traditional IT security departments mostly have their eyes fixed on business IT – the communication systems or business applications. What companies should be doing instead is addressing the issue of cyber-security from an integrated perspective."

The new Cyber-Security Approach from Roland Berger

Experts from Roland Berger have devised a new security approach to help companies mitigate the risks posed by hacking and prevent extensive financial damage. Called the Roland Berger Cyber-Security Approach, it points out that the first key to successfully tackling cyber-crime is for companies to be clear on which of their assets are critical and what scenarios could pose a threat. The danger of online attacks is not confined to traditional business IT. Software built into products is also at risk, as are the architectures in production IT and the means by which these products are linked into operations and maintenance in whatever sphere, be it mechanical, aircraft or automotive engineering, or even in critical infrastructure. "An integrated evaluation of the situation lays the basis for a good protection strategy," advises Carsten Rossbach, Partner at Roland Berger Strategy Consultants. "In our increasingly interconnected world, cyber-security cannot be left to dwell in corporate silos any longer."

Moreover, to protect themselves against online crime, companies need to continually refine and develop their existing structures, processes and systems: security systems should be adapted to potential threats – without losing sight of the business model. Elements of traditional information security management systems (ISMS) can be transferred to other stages in the value chain. And last but not least, the subject of security should become a part of the corporate culture. "With Internet crime capable of affecting all areas of a company, every member of staff needs to be sensitized to the risks," recommends Manfred Hader. "Targeted training can help company employees spot vulnerabilities themselves before it's too late."

Five steps to beat cyber-crime

In the interests of preventing external attacks, the Roland Berger experts advise companies to focus on five key factors.

1. Establish the scope and define the priorities: Given the multitude of sensitive points in a company, the management should first identify critical assets and determine which processes and business areas should be given priority status with regard to protection. These include, above all, sensitive data, systems, products, processes, expertise, and also intellectual property such as process knowledge and patents.
2. Understand your potential threat exposure: The second step involves companies determining the potential threat scenarios for the critical areas that need protection and finding out what protection is already in place.
3. Quantify the potential impact: Companies should examine various scenarios to identify both the objectively quantifiable impacts and the potential consequences – such as damage to their reputation – that may be felt. Courses of action should then be determined on this basis.
4. Evaluate your options: There is no such thing as 100% protection against cyber-attacks. So what management needs to do is define acceptable risk gaps and select applicable security concepts on the basis of a cost/benefit analysis.
5. Embed cyber-security throughout the entire value chain: Cyber-security affects the whole company. The only way to permanently protect a company against online crime is to plan and devise protective measures that take all processes and procedures into account and span all corporate divisions. Employees also need to be brought into the planning at an early stage and kept continuously and candidly informed about potential attacks. Companies will not otherwise be able to react fast and successfully to new threats. "Only companies that treat cyber-security as an integral part of their management system will be able to protect themselves properly against digital threats," explains Manfred Hader.

Online attacks affect stakeholders, too

Protecting against threats from cyberspace is not just important to the companies affected. It's also a concern for their stakeholders, in that they, too, demand more security for their data. Data protection is now a significant factor in consumers' buying decisions, companies are increasingly auditing their suppliers' cyber-security systems, and insurance companies are also becoming more involved, both with specific cyber-security products and in their general view of industry risks.

System outages or data losses can impact a company's credit rating and make it more difficult to obtain finance, which could even go so far as to put the company's future at risk. Furthermore, some governments have plans to make it obligatory for companies to report any cyber-attacks they experience. "Companies therefore need to take action now to shield their data and products from cyber-attacks – in the interests of maintaining their competitive position but also with a view to protecting their customers, employees and owners, and indeed society as a whole," says Carsten Rossbach in summary.