Is Your Cyber Security Up to the Task?
To keep yourself and your business safe – at least as safe as is possible – you need to understand the risks, understand your cyber security’s vulnerabilities, and remain vigilant. No matter who you are, you are at risk.
Understanding the threat means you take it seriously. Taking the threat seriously is the first step in setting up the best cyber security protection for your customers, your employees, and your business in general.
Know the Risks
There’s No One-Size-Fits-All Approach to Cyber Security
Different Industries: Different Threats
Although nearly all businesses have information that hackers may find valuable, the type and profitability of that information varies across the economy. Certain types of attacks are more effective when targeting specific industries. Where are you vulnerable?
The hospitality industry, which includes hotels, restaurants, and other food service businesses, is a popular target for “opportunistic and financially motivated” hackers. The majority of the victims of cyber attacks in this industry are restaurants, often small businesses with no significant IT resources, but who routinely accept credit card payments for their services. As one would expect, Point-of-Sale attacks are the overwhelmingly most popular choice for attacks in this industry:
Universities and other educational institutions are a popular target for hackers, most likely due to their large repository of Personally Identifiable Information and research-driven intellectual property. Interestingly, while not among the top three cyber attack tactics used against educational institutions in 2016, Cyber Espionage was in the top three methods of attack for successful breaches, suggesting that skilled state-actors are increasingly focusing their attention on America’s educational infrastructure.
A broad category of businesses that includes everything from financial analysts to insurance underwriting, there is one main element in common in this industry: control over money. As a result, it’s not too much of a stretch to figure out why these businesses would be a target for hackers. Unsurprisingly, nearly all cyber attacks against financial and insurance institutions are motivated by direct financial gain.
The healthcare industry is a veritable treasure trove of information valuable to hackers. Medical records, usually organized in centralized databases or kept on laptops and tablets, have all the information needed to steal an identity. Focusing only on external actors, however, misses a significant threat – 24% of breaches in 2016 were motivated by personal curiosity.
With businesses ranging from software companies to telecommunications companies, cloud-based providers to online gambling, it’s not too much of a surprise to see that the most common attacks consist of attempts to disrupt service. As far as actual data breaches, attacks on the Information sector rely on a wide variety of attacks, making the attacks even harder to prevent.
These are the companies that, per the Verizon 2017 Data Breach Report, “make stuff.” When you “make stuff, there is always someone else who wants to make it better, or at least cheaper.” As you probably imagine, it’s the information these companies have that hackers want. In fact, although only making up 18% of hacking attempts, cyber espionage accounted for 86% of all breaches – of which 91% of the data compromised consisted of industrial/trade secrets.
The Professional group comprises a large number of business types that provide business-to-business and/or business-to-consumer services, from law firms and accounting firms to landscape architecture companies and high-tech R&D. Unsurprisingly, spear phishing attacks with financial motivation as well as attacks using stolen credentials were among the most common attacks. Lack of information on the effect of a significant number of incidents – preventing identification of breaches, possibly – suggests the failure to report breaches remains a problem.
The public sector is difficult to fully analyze, because it is a treasure trove of information. Unlike other sectors, most government agencies are required to report violations, which can create a lot of noise – the fact that a clerk had an unauthorized program isn’t likely to be something that would be reported in other sectors. However, like the Manufacturing sector, the data is interesting for what was tried (see chart), and what succeeded – cyber espionage was the most successful method of actually breaching a public network. Another scary statistic – 60% of the breaches took at least one year to be discovered.
Comprised of both brick-and-mortar and online retailers, the Retail industry as a whole is a popular target for hackers interested in making quick cash. As far as the methods of attack, the prevalence of Denial of Service and Web App Attacks reveals that online retailers are likely to be much more aggressively targeted by hackers, and the most common way online applications are hacked is using customer credentials stolen as part of phishing attacks.
Different Industries, Different Obligations
The threats to respective industries are different, so it only makes sense that different sets of rules should apply. Knowing those rules – as well as who writes and enforces them – is essential for proper cyber security.
Healthcare
Most healthcare providers fall under HIPAA’s rules for securing personal information, but other federal and state regulations may apply in certain circumstances, including payment information.
Financial
The Gramm-Leach-Bliley Act, and subsequent regulations from the FTC, govern the data security requirements for all “financial institutions” – a term that applies to more than just banks!
Legal
While industry-specific laws and regulations will apply to certain law firms, the most pertinent rules will be those promulgated by your applicable state bar ethics committee.
Contractual
Do you have additional obligations imposed by contract? It’s quite possible – especially if you handle data for a client or have a cyber liability insurance policy.
Get the Cyber Security Law Weekly, a publication from the Law Offices of Brian C. Focht, absolutely free, sent directly to your inbox every week!
