We’ve often discussed how internal threats in the healthcare industry supersede outside attackers in causing data breaches. This remains true, according to Verizon’s latest Data Breach Investigation Report (DBIR). What’s interesting, however, is how this is exclusive to this vertical, and reversed in others. In education, finance, etc., external actors pose the greater risk.
The methods remain similar, although in different proportions. Ransomware has leapt from 4th place to 1st in the last year as the leading malware strain, in 39% of the DBIR’s cases. DDoS, phishing and other types of social engineering, especially targeting human resource departments and business critical systems, are also on the rise.
The full report and data set is over at Verizon. It’s all quite interesting, and reinforces the same prescriptions usually given: employee training, segmented networks, restricted access, and of course encryption. These steps are particularly crucial now, with nation-state actors and organized crime stepping up their game. And stepping it up they are. After all, both Microsoft and Facebook made the news in December for helping divert North Korean cyberattack efforts. This is to say nothing of election controversies in the US, which only look to intensify as the 2018 midterms draw near.
Checking on the status of the Internet of Things reveals further concerns. We’ve long heard the predictions of between 20 and 50 billion connected devices by 2020. And yet, security spending in this area is often insufficient or misdirected. Data protection remains a lower priority on too many devices, with less than half of IoT budgets used for the purpose. As a result, according to Cisco CTO Kevin Bloch, around three-fourths of IoT devices qualify as “failing.”
Remedies for this situation start at the top. C-suite executives need to give far more consideration to cybersecurity, allocate appropriate budget, and treat it as the crucial, profit-relevant area it is. With GDPR just around the corner, and all the regulations and potential fines it brings, compliance with best security practices has never been more important.