Companies operating in the digital landscape have suffered major attacks since the internet’s inception.In 2018 alone, malicious hackers stole billions of records belonging to social media and government organizations, and millions more across retail, technology, and other sectors.
So if your business uses digital components, are hackers targeting your customers’ sensitive information? The short answer is yes. There are certain industries that may be bigger targets than others, but in today’s cyber space, no company is beyond the interest or reach of cyber criminals.
That’s why it is vitally important for every company to understand why cyber criminals target different victims, how they carry out attacks, and ultimately, how to defend against potential cyber threats.
Cyber Attacks and Their Targets
No business is immune to cyberattacks, independent of size, location, and industry.
Banks and Financial Institutions
Financial institutions like banks are among the businesses most frequently targeted by hackers. In 2018, 90% of financial institutions reported being targeted by malware. That is, no doubt, because those businesses have massive databases of customers’ sensitive information, including credit card details, Social Security numbers, and email lists. If you own a financial services business, you could be the biggest target of these hostile actors.
Healthcare Providers
Healthcare institutions have also been increasingly targeted in recent years, most notably by ransomware. A hostile actor will lock a medical office out of their systems until a ransom is paid. Healthcare businesses are especially susceptible to ransomware because of the time-sensitive nature of treating patients that puts pressure on them to get operations back up as soon as possible.
However, another reason why they are targeted is that in the past, healthcare businesses haven’t put a large emphasis on cybersecurity, resulting in only 16% of healthcare providers reporting having “fully functional” security programs.
Other Susceptible Companies
Although small businesses may seem an unlikely target due to the fewer resources they have, they are also attacked regularly because of the general lack of cybersecurity in SMBs.
Government agencies, sports teams, celebrities, high-frequency trading institutions, and companies running outmoded legacy IT tools are just a few of the many other entities vulnerable to cyber attacks.
In short, if your company stores, processes, or transmits sensitive information on behalf of your customers, it can and likely will be attacked by hackers looking for this information.
One more sobering fact to consider is that even if you don’t interact with your customers’ sensitive information, you could still be targeted for your employees’ Social Security numbers and other information.
How Do Hackers Carry Out Their Attacks?
The various means hackers use to steal information may include network hacking, password hacking, phishing scams, and more. They may also carry out attacks by installing malicious software to silently steal the information on their targets.
If an employee falls for a phishing scam, if your network protection isn’t strong enough to stop viruses from infecting your system, or even if an employee uses an easily-guessed password, your data and your customers’ information could be at risk.
With someone’s personal and financial information, a hacker may be able to make purchases, open credit card accounts, commit tax fraud, and worse!
The Impact of a Breach
Globally, business organizations lose roughly 5 million records to bad actors every day as a result of system vulnerabilities or human errors. Only a meager 4% of the compromised information is strongly encrypted, and therefore can’t be used by hackers. The remaining amount of stolen information can be decrypted and sold or otherwise exploited.
Cyber attacks that result in data breaches often lead organizations and businesses to suffer significant financial and reputational damages. Businesses may lose essential data that takes time and money to be replaced, face legal penalties, and lose customers.
In fact, statistics suggest that a business will lose around 22% of their customers after customers are informed of a data breach.
Protecting Against Attacks
There are many opportunities for bolstering your organization’s administrative, procedural, and technical capabilities to ward off these cyber-attacks.
One mistake that some organizations make is taking a narrow, product-centric view of cybersecurity. Without some big-picture guidance, it’s difficult to make sure you’re covering all the bases. With that in mind, it’s helpful to use one of the established cybersecurity frameworks—the NIST Cybersecurity Framework, for example—as a guide for crafting your organization’s information security program. This will help to ensure that you’re considering the big picture and not inadvertently overlooking critical pieces that need to be addressed.
In addition, certain frameworks and standards have been developed to benefit organizations that engage in specific activities. The Payment Card Industry Data Security Standard (PCI DSS), for example, was written to help organizations that store, process, or transmit payment card (e.g., credit card) information on behalf of their customers. If you are a merchant of any size accepting credit cards, you must be in compliance with PCI Security Council standards, which include the following areas:
- Maintaining a secure network by using firewalls, strong passwords, etc.
- Protecting cardholder data by protecting stored data and encrypting all transmissions on public networks
- Instituting a vulnerability management program by regularly updating anti-malware software and securing systems and applications
- Restricting and documenting access by restricting control access to a small number of people and assigning a unique ID to each person with access
- Regularly monitoring and testing networks, systems, and processes
- Maintaining an information security policy for all employees and contractors
PCI DSS compliance is an ongoing process. As customers and technologies change, you need to constantly ensure that your systems are secure and that your customers can trust you.
Corsica Technologies can help with PCI DSS compliance assessments, as well as other compliance assessments, including CJIS Audit Preparation, PCI DSS, HIPAA, SHIELD, CMMC, and DFARS Contact us today to protect your customers’ sensitive information.
Ross Filipek
Ross is the CISO at Corsica Technologies. He has achieved CCIE Security and CISSP certifications, an MBA from the University of Notre Dame, and has 20 years of experience in the fields of computer and network security engineering and consulting. Ross provides virtual CISO services for clients and helps them to identify information security risks and implement administrative, procedural, and technical controls to mitigate. He works effectively with both technical and managerial personnel and is a trusted resource for our clients.
