[BreachExchange] Which Industries Are The Biggest Security Targets?

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jul 12 19:09:17 EDT 2017


http://resources.infosecinstitute.com/category/enterprise/securityawareness/
security-awareness-dangers-by-industry/


Security is a business issue and should be top priority for ALL
organizations, especially given the developments in technology and the
fast-paced information dissemination. In fact, regardless of your
organization’s size and industry, the threat of a security breach is just
not a risk to be ignored. This is because security risks, when poorly
managed, can result in consequences that range from slight, as in small
penalties levied against the organization, to grave, as in loss of personal
information, ruin of jobs and danger to the community for government
agencies. It must be noted that various systems that offer security are
available for the use of organizations, as well as seminars for employees
and broad-spectrum staff that teach them about the importance of protecting
organizational information, the risks of information maladministration, and
the know-how on what to do to handle said information securely.

That being said, not all organizations take it upon themselves to
institutionalize risk management and security awareness in their respective
workplaces. In addition, some business organizations may have enterprise
risk management in their books but the implementation of this and their
security mechanisms are outdated and negligent. It can even be argued that
the talks of security in the workplace, especially government agencies, are
off-limits or at least awkward, and thus, people do not really get an
opportunity to know more about it.

Additionally, risk management and security awareness are both yet to be
learned in the sense that the security industry itself is very vulnerable
to capitalism and for-profit leanings. Yet vital to the organization’s
progress and success is establishing and maintaining information security
awareness. An institutionalized security awareness program can ensure the
protection of important private information, as well as avoid huge risks in
the long run. This involves daily trainings for relevant employees in the
workplace, as security awareness is an on-going program for all
organizations who wish to maintain a high level of security in their
processes.

What industries are the most targeted?

 As aforementioned, considering that no government or corporation is safe
from security breaches, and the likes of cybercrime are on the rise, more
and more organizations are becoming aware of the risks and the steps they
can take to avoid said risks. Listed below are just some of the industries
that are considered big targets of security breaches and cybercrime:

Healthcare

It was reported in Healthcare IT News that the healthcare industry had
experienced the highest level of breaches in 2015. From not even placing in
the top five the previous year, the industry has fallen trap to new forms
of cyberhacking due to the nature of customer information they handle, and
the relative lack of knowledge on the industry’s end in terms of security
awareness. IBM reported that cybercriminals are more likely to steal data
from hospitals’ databases because their security systems are usually
outdated, despite the fact that the data they handle are vulnerable (e.g.,
email addresses, social security system numbers, address and contact
details). Even their employees’ private information are usually left
unencrypted.

What could be a strong motivation for institutions in the healthcare
industry to scale-up their systems is the fact that, according to the PwC
Health Research Institute, the consequences of healthcare security breaches
may cost up to $200 per patient record, including post-breach losses like
organizational reputational damage and consequent business lost. This is
shocking considering the average $8 per patient record fee to prevent said
breaches. That being said, anticipate the healthcare industry to spend an
incredible increase in preventing data system intrusion, as some healthcare
organizations are now learning to take preventive cyber medicine to soften
the blows of the hacks they receive.

Manufacturing

The manufacturing sector, which includes automotive, electronics, and
pharmaceutical companies, have always been a vulnerable industry when it
comes to cybercrime and security breaches. This is because many cyber
attackers are financially motivated and therefore are more likely to hack
corporations where they can demand a higher amount of money, as well as
sell information to competitors. Intellectual property is also incredibly
valuable and so attackers may also be after that.

Shockingly enough, the manufacturing sector has not been held to a high
standard when it comes to security compliance and risk management as
compared to financial services, which renders it more vulnerable to cyber
hacking and malware.

Financial Services

Consider financial services, such as banks, a hacker favorite, given the
nature of the private information these organizations handle on a daily
basis. The most cyber-attacked industry of 2014, financial services have
learned their lesson and have decided to invest heavily on cybercrime
security awareness, especially big international banks like J.P. Morgan,
Citibank, and Wells Fargo in the United States.

What is interesting about the attractiveness of financial services in terms
of cybercrime is the method on how cybercriminals go about the act of
hacking the systems. It has been learned that lost portable devices (e.g.,
cellular devices) and insider threats are the main reasons for security
compromise in banks and other finance institutions. Of course, hacking and
malware are considerable reasons for security breaches as well, especially
given the changing times and shifting realities with regards to
technological advancements. Lastly, it must also be noted that banks handle
a ton of money – if that is not obvious already – so there is already the
added temptation to steal data from them.

Government Agencies

High-profile security breaches are probably the most covered media-wise,
and it does not lessen the number of crimes committed against the
government in terms of security breaches in any way. In fact, 2015 saw an
incredible rise in cyberattacks against government, notably in the United
States and Turkey. An attack in the former saw millions of employee records
exposed, including digitized prints. As for the latter, half a hundred
million Turkish citizens were put at risk as communal records were put on
blast for everyone’s consumption.

It must be said that many people and organizations can benefit from a
government’s information system being compromised, including other states,
militant and crime groups, etc. It is in this regard that governments must
take extra steps to ensure their security, including involving employees in
security awareness training.

Education

Similar to the healthcare industry, the education industry is a chest full
of gold, if you consider private contact information, credit card details,
and government IDs as such. Additionally, educational records are sought
after given their value to people looking to change identities, and trick
into employment opportunities. Of course, some people hack their schools to
change grades, delete records, and other measures to alter student
information in the systems.

Hacking and malware are considered the most common cyber threats to
education, which makes sense if one considers the sheer amount of computer
activity in schools on a daily basis. Students, educators, and other
employees access an array of websites and software, some more personal than
others. If users are unable to terminate their sessions, their private
identifiable data is public to anyone who can perform simple hack
techniques. As a result, unintended exposure is an actual threat to anyone
who decides to access their accounts through school computers.

Despite the fact that cybercrime has been declining in the education
industry, it nonetheless has continued to happen and must be prevented. As
the main research hub, universities and other institutions for higher
education have been singled out for sophisticated knowledge and other
relevant information in terms of advancements in technology, medicine and
manufacturing – all of which are high-gain and very profitable sectors.

What industries are adopting security awareness the fastest?

 Security awareness is the knowledge and attitudes of employees, and the
institutionalized organizational process regarding the protection of the
assets – usually informational – of the organization. Most organizations
that undergo the implementation of an effective security awareness program
are able to at least control risks when they are experienced and at best,
even prevent losses of this regard to occur. Risk awareness and knowledge
of available safeguards are at the forefront of breach defense, especially
with regards to information systems and other processes of this kind.

Security awareness training and implementation cover a variety of topics,
including the nature of information and assets that employees get in
contact with and have to proactively work toward protecting. Additionally,
security awareness runs through the discussion of nondisclosure agreements,
and the responsibility of administrative staff and contractors in terms of
handling these sensitive information.

Specific to physical assets of an organization, employees have to learn the
basic requirements of proper management of data, which means marking,
storage, and destruction. On the other hand, with regards to computer data
systems, members of the organization have to know password policies,
methods in two-factor authentication and malware.

Lastly, security awareness in the workplace involves general workplace
security (e.g., wearing IDs), and the grave consequences of compromising
the organization’s security. Security awareness is all these things and
more, as understood by those who have adopted the programs.

In other words, being security aware means that one understands the grave
potential of losing data as some individuals or groups may deliberately
attempt to steal, misuse and/or damage said organizational information in
the databases and systems of the victim organization. In turn, one performs
processes that involve the protection of database systems, as well as
general support of the institutional assets (physical, informational and
even personal) aimed at the prevention of security breaches. Security
awareness is a shift not only in institutions but also in behavior; in
fact, it can be said that security awareness programs target not only
breach prevention, but also challenge the view that security measures are
restrictive when they are in fact enablers of further success.

In terms of industries that are greatly affected by cybercrime yet follow
through by adopting an efficient cybersecurity program, one can note that
the large corporate industries are taking the lead in terms of taking high
level measures to protect classified information and maintain a good level
of security awareness in the workplace. More specifically, it has been
known that retail corporations, financial services and the healthcare
industry are spending hundreds of millions of dollars to ensure that their
information is safe and intact, as well as immensely protected with various
software and physical containments. Retail corporations have in and out
fallen prey to hackers, and have since learned their lesson. Based on the
infamous Target security breach, for-profit companies have since spent more
on the get go to make sure they spend less on the long run.

Banks, on the other hand, handle sensitive information on a daily basis,
including mergers and acquisitions, and other intellectual property. They
then have to invest in security awareness programs that will ensure their
customers’ privacy, as well as their own. It has been learned that the big
banks have started to beef up their cyber security at all fronts, and this
is evident in the further decline of cybercrime in finance-related cases.

The healthcare industry, as aforementioned, is 2015’s biggest cybercrime
target. That being said, many corporations in this industry have since
upgraded their systems to accommodate the rising threats. Given the sudden
increase of theft in the data front of hospitals and other care facilities,
industry leaders have started to pay for employees’ training in data
encryption and protection. Furthermore, risks are also known to the
customer base which allows every stakeholder to engage in more secure
manners of sharing personal information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170712/23fefcba/attachment.html>


More information about the BreachExchange mailing list