An evolving cyber-threat landscape has led to sectors that were traditionally lesser targeted having to up their security game. Maxwell Cooter takes a look at the varying cybersecurity challenges that each sector is currently facing.
What companies and which sectors are most at risk when it comes to computer crime? In the days before the internet, the answer was obvious. When bank robber Willy Sutton was asked why he robbed banks, his reputed answer “because that’s where the money is” entered into folklore as the Sutton Effect.
Financial institutions held money and, as such, were a prominent target for cyber-criminals. We’re in a new world now, a world in which data is the new currency; or, in the words of mathematician Clive Humby, “the new oil.”
This realization that personal data is a valuable commodity in its own right has changed the landscape for organizations. It’s not just banks and other financial businesses that are at risk, but every type of institution. Indeed, according to research from the UK National Cyber Security Centre, charities are one of the vertical sectors most at risk from cyber-criminals. The research pointed out that last year an unnamed UK charity lost £13,000 after a CEO’s email was hacked and funds were released after a fraudulent message was sent.
This is a vertical sector that would not have been a cyber-criminal’s highest priority 15 or 20 years ago, but the dizzying growth in online transactions has meant that every organization – large or small, public or private – is now fair game. In fact, charities by their very nature won’t have invested heavily in security measures and are probably more at risk than many other sectors.
"It’s not just banks and other financial businesses that are at risk, but every type of institution."
Money Doesn’t Go Out of Fashion
That’s not to say, however, that financial organizations are not the main target for cybercrime. Security consultant, Kevin Borley, says that 95% of company attacks will be on financial institutions.
“Although, that’s nothing compared to the attacks on defense and military, that really is warfare...literally,” he says.
The figures back up Borley’s surmise. According to the IBM X-Force security index, 27% of the security incidents in 2017 were in the finance sector: 17% of all attacks also targeted this particular vertical sector.
While there are plenty of attempts to penetrate the core of financial companies, there’s less success in getting through. Financial organizations, while prepared for almost constant attack, are often better equipped to ride out cyber-attacks. The finance sector has a long history of security measures; the ones with the vast sums spent on security systems and the ones who have appointed top-notch security experts.
However, there’s a caveat when dealing with cybersecurity: how can we be sure that everything is being reported? The answer to this is: we can’t, and we have to admit that the figures we’re working with are an approximation based on guesswork put together after the event.
As an example of how hard it is to establish just how many attacks there are out there, look at what has been reported. The number of cyber-attacks against financial services companies reported to the Financial Conduct Authority (FCA) rose by more than 80% in 2017. The numbers are small, however; despite the stiff increase, just 69 cyber-incidents were reported. Whilst that’s 31 more than in 2016 and 45 more than the previous year, it’s probably a massive under-reporting of attacks – there are certain to be many more such incidents.
When you look at the effect of such attacks, however, it’s easy to understand why companies are loath to report them. While they’re obviously keen to protect their assets, the effects go a lot further than financial loss – there’s the reputational damage too.
Last year, the Oxford Economics research group looked at the effect of cyber-attacks on various industries and, in particular, on share prices, for that’s one way that effective attacks can really hit businesses. The group found that the average share price loss was just 1.8% but that figure masked a wide discrepancy across sectors: in the financial sector, the average fall in share price was 2.7% while the average fall in retail was just 0.4%. Individual companies could take an even bigger hit: the Oxford Economics group found one media company had seen its share price fall 15% after a successful attack.
Research in the US found that three vertical sectors were particularly at risk: financial organizations (where 24% of cyber-attacks took place), healthcare (hit by 15% of attacks) and the public sector (12% of all breaches).
Public Sector
The public sector looks high given that it’s not an area that is generally awash with money, but, as Gartner research director Ruggero Contu points out, there are a variety of different sectors all falling under the banner of public sector.
“There are many different elements here: it’s not true to say that there are no financial elements – there are tax offices, for example, but there are also things like passport offices where there may be no direct financial gain but forged passports could be used for this purpose,” says Contu.
One of the key aspects of attacks on the public sector is one of the same reasons why charities are vulnerable – they’re not generally heavy spenders when it comes to implementing security measures – tax offices will be, but public sector expenditure is tightly controlled. Notably of course, secrecy is important in many public sector areas.
That’s going to change in Europe when the GDPR comes into play. With such heavy penalties in place, organizations are going to have to be more careful about how they handle security breaches. However, Gartner’s Contu says that GDPR shouldn’t be seen as some sort of universal elixir. “It’s difficult to say what the effects will be until member states implement legislation. The protection will be stronger, but we’ll have to see how strong.”
He says that Europe has been lagging behind the US when it comes to protection. "Traditionally, the US has had high levels of security and has been ahead of Europe.”
Borley has witnessed this too. He has been working in aviation security for the past couple of years and he says that Europe is catching up with the work that the US has been doing in this sector.
Areas where we can expect to see large increases in attacks in coming years are industries like energy, manufacturing and utilities. According to research from Skybox Security Research Lab, there has been a 120% increase in attacks in these vertical sectors in the last year.
Marina Kidron, research director for Skybox, says that this reflects the growing importance of connected technologies. “This shows the significant increase in risk for cyber-attack: expanding the attack surface means expanding the opportunities for the attackers. The number of successful cyber-attacks that are publicly known is very small, but the potential damage of one successful attack is huge. Therefore it is not about the numbers in terms of previously discovered attacks, it is about the potential risk and threat level. Operational technology security is moving slower than IT – it has some unique challenges and therefore a gap to overcome.”
Borley agrees and sees some significant problems ahead for all industries making use of such devices. “There are two worlds here: the IP network world and the programmable device one. IT security efforts have been concentrated more on IT networks and less on industrial systems.”
"It is not about the numbers in terms of previously discovered attacks, it is about the potential risk and threat level."
Airplanes, Nuclear and Healthcare
“I’ve been working in the aviation sector for the past couple of years,” Borley says, and can see areas where attacks could be made. “For example, you can compromise the baggage system by directing luggage to somewhere where it shouldn’t be.”
He adds that there’s an exception to this, however. “In the nuclear world, the connection between IP and industrial systems is wired in – they actually design for it as the stakes are so high.”
Clearly, the advent of such devices is going to change the landscape for several industries. Skybox’s Kidron points out that healthcare is an area that is extremely vulnerable: “the healthcare sector is more vulnerable, in potential and in practice. There is a low security awareness of frontline staff in general, and the presence of IoT devices also puts the sector at risk as IoT devices are considered to be less secure than non-IoT devices in general.”
There’s a particular reason why healthcare is a fruitful area for cyber-attackers. “Healthcare information is very valuable to attackers, as it cannot be changed (as opposed to a credit card number or even a social security number).”
Kidron says that the healthcare industry is aware of the problem and is trying to deal with it. “Last year, ransomware attacks made headlines when WannaCry hit the NHS, but there were additional cases. Today, we see a shift from ransomware to cryptocurrency minders, and the healthcare sector is still very vulnerable and relevant.”
Healthcare CIOs are certainly feeling the pressure. According to research from Gartner, 74% of decision makers in this sector believe that the new digital environment is increasing the risks for the industry. That’s higher than any other sector – 69% of financial respondents believed that and 71% of manufacturing CIOs held that view.
It’s clear that the IT landscape for the coming years offers a variety of threats to industries. The financial sector is under the biggest threat but has had decades coping with this. It is the sectors like healthcare and manufacturing, where there’s a new generation of threats and not the corresponding infrastructure to fight them, which are going to be in most trouble.