Cybercriminals are adapting techniques they’ve used successfully against financial service companies to breach other data-rich industries. Here’s a list of who’s on their hit list.
It was barely more than a decade ago that data breaches didn’t register as a major concern for companies. But cybercrime is exploding – costing the world an estimated $600 billion in 2017 – and the potential reputational damage and major financial losses that follow a successful attack rank high on every company’s agenda.
Cybercrime has become a permanent and alarming risk for organizations of all sizes and industry backgrounds. The average cost for every lost or stolen record containing confidential information is $148, according to a 2018 data breach study by the Ponemon Institute and IBM. Businesses storing sensitive and personal information are the most coveted targets of cybercrime. But data breaches aren’t the only risk. Crippling attacks like ransomware are emerging as key cybersecurity threats.
Ransomware demands that businesses pay a ransom in order to recover data held hostage by the attack. The FBI reports that an average of 4,000 ransomware attacks has occurred every day since the beginning of 2016.
Cybercriminals, who have long preyed on the financial industry for obvious reasons, have moved on to target other industries. Read on to discover if yours is one of them and if you are taking enough precautions to safeguard your organization.
The 2015 attack against Anthem ranks as one of the worst data breaches of all time, pillaging Social Security numbers, names, and other sensitive information from up to 80 million of the health insurance giant’s customers.
In 2016, at least one healthcare company breach occurred every day. In the first five months of 2018, the situation only intensified as the number of people impacted by healthcare data breaches surged more than 1,000 percent. Healthcare data breaches cost a staggering $408 per record, Ponemon reports – nearly three times the cross-industry average.
So, why healthcare? This industry often lags when it comes to information security. Cost-cutting measures have left many healthcare organizations reliant on unpatched legacy systems. Electronic healthcare records also are chock full of personal information that fetches a handsome price on the dark web.
While other industries have started to feel the heat, financial services remain a prime target. The financial sector is attacked 65 percent more often than other industries – and it’s easy to understand why. Credit card details, password information, bank account details, investment records – that’s just the beginning of the valuable data that’s stored and regularly accessed by financial services companies online. More than 200 million financial records were breached in 2016 alone, a staggering 937 percent increase over the previous year. Cybercriminals continue to strike at the heart of U.S. finance, with significant breaches impacting major institutions like JPMorgan Chase, Equifax, and even the Securities and Exchange Commission.
Financial companies also suffer the highest direct costs from cyber-attacks of any industry, averaging annualized costs in the United States of $18.28 million per company in 2017 – a 40 percent increase in three years. And in an industry where reputation is everything, indirect costs can climb even higher. Some 60 percent of consumers said they would stop using a bank after a data breach.
Educational institutions have become major targets for cybercrime – and because children are involved, the implications are especially serious. In 2016, education surpassed health care and the government as the biggest target of ransomware attacks. More than 1.35 million identities were exposed to attacks against higher educational institutions in 2015.
Educational institutions are a near-perfect target for hackers. Besides the sheer volume of personal, healthcare, and financial information they store on students, parents, and staff, their security measures tend to be light. That’s partly because they were largely unscathed by cybercrime in the past, and partly because their computer systems were designed for easy access by students and parents.
Further complicating matters is that schools have less control over devices that connect to their networks. Many allow students to bring personal devices to class, and a malware-infected laptop can quickly compromise other systems.
While not previously considered very “attackable,” manufacturing has become one of the most regularly targeted industries in recent years. Nearly 40 percent of cyber-attacks in 2016 targeted this sector, according to a Computer Weekly.com report. In fact, during the second quarter of 2017, manufacturing surpassed finance and healthcare as the biggest target of cybercrime, according to the report.
The increased interest from hackers is largely attributed to three factors: the value of manufacturers’ intellectual property, industrial control systems that are often left unguarded, and a focus on enhancing productivity and efficiency at manufacturing facilities instead of cybersecurity. Improvements made to increase automation and cut costs further increase the sector’s vulnerability, widening the attack surface with the Internet of Things (IoT) devices, robotics, and human-machine interfaces.
Manufacturers in the pharmaceutical, defense, and chemical sectors hold critical data that hackers can sell or use for political gain, from business secrets to breakthroughs in research and development. More than 20 percent of manufacturers have lost proprietary intellectual property in cyber-attacks, Computer Weekly.com reports.
The information they hold on their citizens makes them the nation’s biggest source of personal data, from tax records to license registrations to healthcare data. Unfortunately, they also typically have the smallest cybersecurity budgets, making them a good target for cybercrime.
The Government Accountability Office found that the number of cyber-attacks against U.S. government agencies soared by 1,300 percent between 2006 and 2015, reaching 77,000. That same year, hackers hired by the government found 138 security flaws on five Pentagon websites.
Most alarming is the motivation for cyber-attacks against government agencies, which often come from political groups, terrorist organizations, or malicious nation-states. In 2015, Chinese hackers stole the fingerprints of more than 5.6 million Americans from the State Department in one of the most severe attacks ever launched against a U.S. government agency.
Hackers are taking advantage of two important truths about the legal sector: First, law firms store sensitive information about their clients, financial data, and documents about the patent, litigation, and pending merger and acquisitions. Second, many law firms have inadequate cybersecurity practices.
Corporations are urging the legal sector to step up its cybersecurity game as hackers realize that even if they are thwarted by robust security at a company, they can get the data they desire by turning their attention to its law firm.
About 80 percent of the largest law firms in the U.S. have experienced a malicious breach. IT consultancy Logicforce reported more than 10,000 network intrusion attempts every day in 2016 across just 200 law firms. Forty percent of those law firms did not know they had been breached.
Energy and utility companies are alarming targets, as they are vulnerable to hackers interested in harming a particular city, state, or country. In March, the U.S. accused Russia of a wide-ranging cyber-assault on its energy grid and other key parts of its infrastructure that began in 2016. Officials claimed Russia placed malware in the operating systems of several organizations in the country’s energy, nuclear, water, and “critical manufacturing” sectors.
Utilities and energy companies suffered the second-largest impact from cyber-attacks in 2017, with annualized costs of $17.2 million in the United States. But a Deloitte report asserts that many energy companies shrug off cybersecurity concerns, with only a handful citing cyber-breaches as a major risk in their annual filings. Despite the growing number of attacks and the national security implications they can cause, many of the industry’s decision makers remain complacent about cybersecurity.
Many don’t understand that the remote operations that make them feel safe also make them a target, giving hackers a chance to tap into energy networks by locating near them. Researchers from the University of Tulsa recently proved how easy it is to seize control of an entire farm of wind turbines. After picking a lock on an unsupervised turbine’s door and accessing the unsecured server closet within, the researchers were able to drive miles into the surrounding rural fields and use their laptops to control the farm.
Cybercrime is on the rise and a growing number of industries are being targeted
Fortunately, the Online Trust Alliance asserts that more than 90 percent of data breaches could have been prevented by implementing cybersecurity best practices. That includes having a solid cybersecurity plan in place, following basic compliance processes, implementing proactive detection and response, and training employees to spot suspicious behavior.
An experienced cybersecurity provider can help you assess your risk and shore up the security holes in your organization before a clever hacker walks through them.
Absolute Logic’s clients across four states and 40 industries are guided safely through the threat landscape. Our Absolute Security powered by CyberGuard360 includes a wide array of services such as system security suites, risk assessment, education, and training and disaster recovery, and we specialize in helping New York companies comply with 23 NYCRR 500. If you’d like us to put our expertise to work for you, we’d be happy to help. Call us at 844-315-9882 or use our contact form for a free consultation.