Cyber-attacks and data breaches affecting automakers may be more common than anyone had believed, according to the findings of a newly released survey by the consulting firm KPMG.
Eighty-five percent of C-level automotive officers interviewed by the firm reported that their companies had been compromised by cyber-attacks in the past 24 months. Only executives from the retail industry were more likely to admit to cyber-attacks in the last two years, KPMG reported.
The firm surveyed 403 C-level executives (CEO, CIO, CISO, CTO) in the automotive, banking, technology and retail sectors. Overall, 81 percent of executives reported that their companies had been compromised in some manner in the preceding two years, with incidents ranging from malware infections to botnets and other scourges.
Retail executives reported the most breaches in the past 24 months, with 89% admitting that they had experienced a cyber incident. Automotive executives were next, followed by banking and technology executives, 76% of whom admitted to experiencing cyber incidents in the preceding two years.
The data is particularly concerning for companies in the automotive sector, where consumers appear to be linking cyber security to safety. A companion survey by KPMG of 750 consumers found that auto industry customers are particularly sensitive to (and worried about) cyber-attacks on vehicles.
"The statistics show that financial services customers are relatively forgiving in the event of a security breach: make amends and they will stay," wrote Gary Silberg, Americas Head of Automotive, KPMG LLP. "Automotive customers are, by comparison, far more likely to abandon a brand over cyber security issues."
Silberg theorizes that this has something to do with the public's familiarity with cyber security incidents in certain contexts. In other words, consumers have become accustomed to hearing about cyber-attacks on banking and financial services firms. Attacks on cars, however, are still a (very) new concept - as is the notion of a car being a target for hackers in the first place. That means the "risks and costs of a misstep may be greater in auto than for many more 'tech-mature' industries," KPMG reported.
That is all the more reason that automotive firms should be doubling down on their investments in information security.
"Cyber-attacks are affecting nearly every single company we encounter, but we're not seeing those attacks drive enough proactive business action as evidenced by the rate of investment made in information security," said Greg Bell, KPMG's Cyber US Leader in a statement. "We're still seeing companies taking a passive or reactive approach toward cyber security, when in fact, cyber security should be a top-line business issue thought about and practiced company-wide."
The automotive industry has made strides towards improving cyber security in recent years, with efforts accelerating after a high profile, wireless hack of a 2014 Jeep Cherokee prompted a recall of 1.4 million vehicles by Fiat Chrysler in 2015. In recent weeks, for example, the automotive industry's Information Sharing and Analysis Center released a best practices document for sharing information about cyber-attacks and threats between industry players.
But the KPMG survey suggests that the industry still lags in important areas, such as information security leadership. Across all industries, 69% of companies reported having a leader in place to oversee cyber security issues. However, just 45% of automotive companies reported having such a position versus 85% of both banks and technology companies.
"There is a cyber-awareness maturity curve for industries that have been providing Internet-enabled products and services for longer periods of time, versus relatively new products like personalized shopping and connected cars," said Bell. "Hackers go after the weakest systems, not often the most traditionally lucrative like banks. However, as products evolve to use more connectivity and data, companies can't afford to get this wrong and let the maturity model hold them back.