Half of Russian Enterprises Show Alarming Low Cybersecurity Management Maturity, According to Jet Infosystems

«Jet Infosystems» has published the findings of a study regarding the state of cybersecurity in Russia’s industrial sector. Experts found that 50% of companies exhibit a low level of maturity in information security process management across the organization, while 32% do not implement essential information security processes in automated control systems.

The research revealed that 45% of Russian industrial firms have an average cybersecurity process maturity level deemed extremely low (according to CMMI: either ‘initial’ or ‘nonexistent’). Basic protective measures for automated control systems, as stipulated by regulatory documents, are often implemented only on paper. Experience from «Jet Infosystems» in information security audits confirms that such measures are frequently inadequate to defend against APT attacks. This superficial compliance leads to wasted resources and a lack of real security.

Furthermore, 31% of industrial sector companies reported an overall increase in cybersecurity incidents over 2024. Meanwhile, 39% do not track statistics due to the absence of incident management processes, complicating threat analysis and the development of effective protective measures. Serious vulnerabilities are created by low employee awareness and insufficient access control, especially regarding contractors, with over 36% of firms not imposing access requirements for contractor personnel in their IT infrastructure.

A critical aspect of the study is the assessment of cyber resilience. Despite significant concern over ransomware (expressed by 69% of companies), businesses often fail to properly plan for incident recovery, test their plans, and ensure the safety of backup systems. This neglect significantly reduces their ability to recover quickly from attacks and minimize operational downtime. A lack of proactive measures, evident in the absence of initiatives to improve security settings for automated control system components (44% of companies), further exacerbates the situation.

*“Merely adhering to regulatory requirements is insufficient to guard against modern cyber threats, and if an attack is successful, businesses may face prolonged downtimes and substantial financial losses. Effective protection necessitates not only the implementation of basic measures but also their adaptation to the specific needs of the enterprise, threat modeling, the evolution of information security processes, and enhancing employee awareness,”* states **Ilya Volozhanin, an information security expert at «Jet Infosystems.»**