Every industry faces the threat of a data breach, but how those breaches are actually carried out can vary significantly industry to industry. By understanding the motivations behind each cyber-attack, companies can better ensure that they focus their security efforts on the most vulnerable areas.
According to Verizon’s 2016 Data Breach Investigations Report, 95% of 2,260 security breaches analyzed fit into nine core incident patterns. Per industry, however, the majority of threats fall into just three threat patterns.
“What we’re trying to do here is to get people to think a little bit differently about vulnerabilities and not just play whack-a-mole,” says Mark Spitler, the report’s lead author. Companies want to be cognizant of which of these vulnerabilities are being exploited, he says. The nine threat patterns identified in the report are:
Miscellaneous errors: Any unintentional action or mistake that compromises security, excluding the loss of assets (17.7%)
Insider and privilege misuse: Incidents involving misuse by insiders (16.3%)
Physical theft and loss: Loss or theft of laptops, USB drives, papers and other information assets (15.1%)
Denial of service: The use of botnets—a “zombie” army of computers—used to overwhelm a company with malicious traffic, bring its operations to a halt(15%)
Crimeware: Any use of malware that doesn’t fit into a specific pattern (12.4%)
Web app attack: Where a web app—such as a content management system or e-commerce platform—was used as a means of entry (8.3%)
Point-of-sale intrusion: When attackers compromise the computers and servers that run PoS applications (0.8%)
Cyber-espionage: Attacks motivated by espionage carried out by state-affiliated actors (0.4%)
Payment card skimmers: Incidents involving physical installation of a device on an ATM, gas pump, or PoSterminal that intercepts card data (0.2%)
Across all industries, most cyber-attacks are motived by greed. Because cyber attackers seek data that provides the most value, they are continuously seeking new information. As payment card information has declined in value, for example, attackers are now going after more lucrative targets, such as protected health information and intellectual property.
An assessment of the top three most commonly attacked industries, and the three most common threats in each industry based on data in the Verizon data breach report, is discussed below.
According to Verizon’s data breach report, 73% of incidents in the healthcare industry resulted from physical theft and loss; insider privilege and misuse; and miscellaneous errors. Physical theft and loss, in particular, “is a bigger problem for healthcare than for any other sector,” the report stated. Many security incidents, for example, often result from a lost laptop or mobile device, but the biggest threat of a data breach is from lost or stolen documents.
“What we’re trying to do here is to get people to think a little bit differently about vulnerabilities and not just play whack-a-mole.”
Mark Spitler, senior security analyst, Verizon
One preventative measure is to “keep a record of common errors that have occurred in the past,” the report stated. “You can use this to improve security awareness training and measure the effectiveness of your controls.”
According to a new healthcare breach report conducted by the Ponemon Institute, a research “think tank” dedicated to advancing privacy and data protection practices, 69 percent of healthcare organizations polled said that employee negligence continues to pose the greatest concern. Another 45 percent said cyber-attackers, and 30 percent cited the use of insecure mobile devices.
Contrary to these concerns, the Ponemon Institute report found that criminal attacks are the root cause of most data breaches. Fifty percent of healthcare organizations reported the breach as a criminal attack, while 41 percent of respondents said it was caused by a third-party snafu, and 39 percent respondents said it was due to a stolen computing device. Only 36 percent said it was caused by an unintentional employee action.
Whether caused by an insider or external threat, data breaches plague the healthcare industry more than any other industry.This is because electronic health records—rich in credit card data, social security numbers, employment information and medical records—fetch a high price on the black market. Ransomware—when attackers encrypt the contents of a device and then demand a ransom to unlock the data—is one of the top cyber threats facing healthcare organizations. “Those kinds of attacks are starting to happen at a greater frequency,” says Larry Ponemon, founder of the Ponemon Institute. Malware and denial-of-service attacks are also common threats in the healthcare industry.
In the Verizon report, 55% of incidents in the manufacturing industry resulted from denial-of-service attacks; cyber espionage; and insider and privilege misuse. According to a separate data breach report conducted by IBM Security, manufacturing—including automotive, electronics, textile and pharmaceutical companies—experienced the second highest number of data breaches last year, after healthcare.
Because many attacks are financially motivated, cyber thieves often go after corporate networks, seeking intellectual property, trade secrets, or other sensitive information. “They’re not targeting servers all the time,” says John Kuhn, senior threat researcher at IBM Security. “They’re going after people, because people are easier to manipulate.”
Below is a list of key takeaways from the Verizon 2016 Data Breach Investigations Report.
Be vigilant: Systems can give you early warning of a breach.
Make people your first line of defense: Train staff to spot the warning signs.
Only keep data on a “need to know” basis: Only staff that need access to systems to do their jobs should have it.
Patch promptly: This could guard against many attacks.
Encrypt sensitive data: Make your data next to useless if it is stolen.
Use two-factor authentication: This can limit the damage that can be done with lost or stolen credentials.
Don’t forget physical security: Not all data theft happens online.
Source: Verizon 2016 Breach Investigations Report.
Malware gets onto a company’s system, for example, when someone clicks on a malicious e-mail or visits an infected website. “At that point, the outsider becomes an insider,” Kuhn says. “The person who works for the company becomes an inadvertent actor.”
To prevent cyber-espionage, the Verizon report recommends such proactive measures as patching known vulnerabilities promptly and segregating systems. To prevent a denial-of-service attack, the report recommends not only segregating servers, but also having a solid understanding of your service level agreements for denial-of-service mitigation. “Make sure your cloud service providers have solutions in place to protect the availability of their services and infrastructure,” the report states.
In the financial services industry, 88% of incidents resulted from web app attacks; denial-of-service attacks; and cyber espionage, according to the Verizon report. “Many web app attacks are indiscriminate—the attackers found a weak target with a vulnerability they could compromise; or got a foothold through a phishing campaign,” the report stated. Phishing is a term used to describe when employees are tricked into opening an infected e-mail attachment or browsing to a malicious website disguised as a trusted destination. According to the Verizon report, employees opened almost a third (30%) of phishing messages, and 12% of targets went on to open the malicious attachment or clicked the link.
Thus, it’s important to do security awareness training by helping employees look for red flags that may indicate that the e-mail is malicious. Then have an efficient avenue for them to report it.
To prevent phishing, training is critical. This can include sending employees mock sphere phishing e-mails, “but you have to make sure that your message changes over time and matures over time.” Steve Conrad, managing director at MediaPro, an e-learning software firm.
Rather than investing in firewalls or other types of technical solutions to protect against an intrusion, “assuming you may have a breach at this point is important,” says Rick Kam, president of ID Experts, a data breach software and services provider.
In all industries, the human element continues to be one of the most prevalent causes of a data breach. “Treat it like you would any other threat vector,” says Conrad. “Don’t treat it as an afterthought.”
Companies continually refresh their antivirus, firewall, and malware software; people need to be continually refreshed the same way, Conrad adds. Training needs to be communicated and reinforced on a quarterly or monthly basis and improved over time, depending on what tactics are working and what is not working. “If you’re doing all of that,” he says, “you have a well-established training program.”
To learn more about this topic, be sure to attend “Operationalizing Your Program: A Focus on Cyber-security Compliance” at the Compliance Week 2016 conference on May 23-25, 2016, in Washington, D.C. Register today!