by Michael Richmond 

SHARE THIS

The news is filled with reports about hospitals, insurance companies and financial institutions that have recently experienced a data breach or suffered outages due to ransomware rendering computer systems inaccessible. Recently Wannacry, and now NotPetya, are attacking both private and governmental networks around the world, with the latest NotPetya variant rendering data lost forever once a computer is infected.  Aside from the public relations nightmare of a data breach, a breach can cause tangible, immediate financial damage to an organization. 

So you may wonder if your own computer system is really safe? While no network or computer is completely secure from a technical standpoint, most major issues can be reasonably solved by having a well-defined, well-executed information security program. 

According to the Verizon Data Breach Investigations Report (VDBIR) for 2017, 43% of all breaches involve social engineering attacks and 93% of those attacks incorporated phishing. Phishing is an attempt to obtain sensitive information such as usernames, passwords and credit card information by sending fraudulent emails that are formatted to appear legitimate. This means that nearly half of all reported data breaches started with attacks focusing on what is arguably the least technical point of entry: employees and customers. Multiple IT security reports and our own social engineering testing consistently show that the “human element” is the weakest link in any network. Our own phishing campaigns have shown failure rates that range from 10% to 40%, depending on the complexity and IT maturity of the organization tested.

43% of all breaches involve social engineering attacks and 93% of those attacks incorporated phishing.

Let’s look specifically at financial institutions and healthcare organizations.

Financial Industry Data Breaches

Within the financial industry, the VDBIR shows that data breaches occurred in 47% of all reported incidents. Most of those breaches used Trojans to steal information. So how does an attacker steal data utilizing a Trojan? A typical exploit scenario might be:

• An attacker sends a malicious attachment through email, typically disguised as a standard document or PDF.
• Once the attachment is opened, malware installs on the device, logs all info and reports it back to the attacker.
• The malware key-logs user credentials or the customer is redirected to a fake website to capture credentials.
• The attacker uses the customer’s actual credentials for malicious purposes.

Healthcare Industry Data Breaches

For the healthcare industry, the data breaches are often unlike traditional breaches. For starters, it is the only industry where the largest threat comes from the inside — the attacker is most commonly an employee of the organization. Securing the huge database of personal medical information proves to be an enormous task because employees need access to that dataset. The inherent problem is that many of the employees are accessing patient data that they may or may not need. In this industry, about 81% of the motive is evenly split between financial gain and curiosity/fun (financial gain is only marginally higher). These statistics are just for breaches; for incidents with no confirmed compromise of data, ransomware accounts for 72% of malware in this industry. Here again, the “human element” is the weakness.

Overcoming the Human Element

All of these statistics and news reports can make securing systems seem like a daunting task. How do we account for the “human element?” We can overcome our employees varied technical abilities (or lack thereof) through security awareness training and periodically testing our end-users. We should always work to mitigate threats with technical controls where applicable but, ultimately, the best technical security solutions are rendered useless if our employees and clients are not informed of the risks and act without an appropriate level of education and healthy skepticism. Conversely, our IT security measures are strengthened when we properly educate our workforce. Training employees to keep security top-of-mind and notify the organization when they see or discover something unusual will help act as another layer of defense against cyber attacks.

Need Help? 

If you have been affected by ransomware or have questions about your cyber-risks, please contact our Technology Services Group and they can help mitigate your risk.  Fill out our contact form or call 800-259-2922.