The Next Big Hack. Are You Next?

The Next Big Hack. Are You Next? 864 486 N2K

The Next Big Hack. Are You Next?

As we roll into 2018, there are conversations happening in every boardroom about cyber risk. (And if not, call us, there should be conversations happening in every boardroom about cyber risk.) While no industry or organization is safe from a hacker’s keystroke or an information leak, let’s look at the top three industries that appear to have the greatest risk. So, are you safe if you aren’t in these industries? Nope. But if you are, take a close read. You could be next.

Financial and Insurance Services

The financial industry continues to be a prime target for cyber criminals. It stands to reason that cyber criminals would focus on the financial sector as the motives are clear – money.  There are lots of different types of bad guys in this sector depending on your area of financial services. For one, investment banks generally have different worries than commercial banks; yet, preparedness and understanding cyber risk applies to the whole sector.

One interesting mechanism for review especially if you are in the financial sector is DarkOwl’s Darknet Index that reviews the Fortune 500’s footprint on the darknet or dark web. DarkOwl measures one element of cybersecurity risk by calculating its DARKINT™ scores (short for “Darknet Intelligence.”) The takeaway? The higher the score, the greater the risk or as DarkOwl puts it, “the attractiveness of a target” company to the cyber criminals.

In reviewing the December 2017 Darknet Index, financial firms occupy three of the top 10 and seven of the top 25. This doesn’t come as any real surprise as personal data is readily accessible on the dark web and financial institutions hold treasure troves of personal data. And the cost of a U.S. financial sector breach is expensive, the second most expensive in fact according to Ponemon Institute’s 2017 Cost of a Data Breach Study

According to the 2017 Verizon Data Breach Incident Report, 71% of data compromised in the financial industry is user credential data. Yes, the bad guys still want access to your usernames, passwords, and verification PINs. Despite the many protection measures implemented across the sector, financially motivated hackers continue to find clever ways to fraudulently drain your accounts or use your personal data for identity theft. So what conversations should your boardroom be hosting if you’re in the financial sector? You should be having conversations about cyber risk and the specific, prioritized actions, policies, and controls in place to limit that risk.

 

Frequency

998 Incidents, 471 with confirmed data disclosure

Threat Actors

94% External, 6% Internal, <1% Personal

Actor Motives

96% Financial, 1% Espionage (all incidents)

     Source: 2017 Verizon Data Breach Incident Report


Health Care

The December 2017 Darknet Index shows only one healthcare organization inthe top 25. This might seem like good news if you’re a healthcare exec, but healthcare information security is complicated and challenging for many reasons. It’s also the most expensive U.S. Industry when a breach occurs. According to Ponemon Institute’s 2017 Study, the Healthcare Industry has a staggering average cost of $12M per data breach.

Blog_-3.jpg

                                        Source: Ponemon Institute’s 2017 Cost of a Data Breach Study

If you are an executive in the healthcare industry, then you will find yourself thinking about cyber risk impact and preparedness in many ways, from training your people to a policy around ransomware which represented 72% of healthcare malware incidents according to the most recent Verizon report. And as the industry as a whole continues to transition from paper-based records to electronic ones, business leaders in this sector need to ensure the safekeeping of those digital records.

Frequency

458 incidents, 296 with confirmed data disclosure

Threat Actors

32% External, 68% Internal, 6% Partner (breaches)

Actor Motives

64% Financial, 23% Fun, 7% Grudge (breaches)

      Source: 2017 Verizon Data Breach Incident Report


Retail

Retail as a whole and point-of-sale systems specifically represent significant targets for cyber criminals seeking credit and debit card numbers. The retail segment encompasses both brick and mortar and online though the attack surfaces in each are very different – and require different cyber resilience planning.

Blog_2-1.jpg

                                         Source: Ponemon Institute’s 2017 Cost of a Data Breach Study

 

While there are just a couple of companies in the Darknet Index’s top 25, interesting is that 80% of the incidents reported in the most recent Verizon Data Breach Incident report resulted from hacking. And according to Ponemon Institute’s 2017 Study, the U.S. Retail sector faces an average data breach cost of $5.8M despite its efforts to protect your payment card information from greedy hackers.  If you’re on the board of a retail company, do you know whether you have mitigation plans?  Have you done your due diligence on your 3rd party vendors and suppliers?

Frequency

326 incidents, 93 with confirmed data disclosure

Threat Actors

92% External, 7% Internal, <1% Partner (incidents)

Actor Motives

96% Financial, 2% Espionage, 2% Curiosity (incidents)

    Source: 2017 Verizon Data Breach Incident Report


Small Businesses

So your company isn’t among the top 25 Darknet Index or even in the Fortune 500 or 1000. Does that mean you shouldn’t worry about being the next company getting hacked? That’s a big no. You should be worried but better yet, you should get prepared. If you’re the CEO and you get hit with a ransomware attack, are you going pay to restore your data? Do you have a plan?

In early 2017, it was reported that roughly half of the previous 12 months’ cyber attacks targeted small businesses – approximately 14 million of them. Hacks in the small business sector are big business.

Are You Next?

What would you do if you knew you really were next in line to get hacked? As you think about your priorities for 2018, think about your organization’s cyber risk preparedness and your ability as an executive to understand cyber risk as an enterprise risk.  We’re here to help.  We offer a variety of custom programs that can be delivered privately to your organization or as part of an executive retreat.