Reports about large-scale cyber attacks have been peppering our nightly news shows and social media newsfeeds for years now—we’ve heard about retail chain after retail chain falling victim to hacking, coveted hospital information being held for ransom, entertainment industry data breaches leaking spoilers of today’s top shows and even alleged election-related hacks. As a result, information security analyst jobs have seen rapid growth, with the Bureau of Labor Statistics projecting an 18 percent hike in employment by 2024.
In our digitally advanced age, it almost seems that it should be commonplace for organizations to implement the most reliable security measures when it comes to coveted web-based data. But that’s not always the case. “Anyone accepting information online is at a huge risk,” reveals Matt Ferderer, consultant and freelance web developer. “It’s rare for even the top websites to properly set up HTTPS, which is the bare minimum in having a secure website.”
Ferderer goes on to explain that this risk alone can mean that anyone using the same network as you—such as in a café, or at a school, hotel or airport—can intercept and modify any data you transmit or receive from a website. “We’re still in the Wild West of the internet,” he says.
Whether you’re worried about the safety of information sharing within your specific industry, interested in learning which fields may become hotspots for cyber security jobs or you’re simply curious about the general state of things, it’s helpful to know which industries currently face the highest risk of falling victim to cyber attacks. We canvassed a panel of IT experts to get their take on this. Take a look at what they had to say.
4 Industries that are most vulnerable to cyber attacks
“The multi-million dollar ransomware industry has grown and will continue to grow with amazing speed in the years to come,” explains Adnan Raja, vice president of marketing for the web hosting service Atlantic.net. “This is, in part, thanks to the spread of untraceable cryptocurrency, such as Bitcoin, and the proliferation of ransomware kits on the dark web.” The latter, he adds, allows just about anyone with little-to-no programming skills to orchestrate and reap the financial rewards of ransomware attacks.
The truth is most hackers focus less on targeting specific industries and more on locating vulnerabilities that will allow them to easily receive their sought-after data. “Threat actors use tools they are comfortable with to go after data they know how to monetize. They do this in order to minimize the risk of being discovered while maximizing the likelihood of a return on their activities,” says Chadd Carr, chief technology officer and global lead for innovation and strategy at 6massive Holdings, LLP.
As the founding director of PricewaterhouseCoopers’ National Cyber Threat Research Center, and former special agent and computer crime investigator with the Air Force Office of Special Investigations, Carr has ample experience in cyber security, computer forensics and just about every aspect of information security and intelligence. This has brought him to various conclusions about the nature of cyber attackers, including the following: “They tend to be industry agnostic, gravitating instead toward areas vulnerable to their desired tool set (malware of preference) and abundant with data they seek.”
That being said, there are some industries that will find themselves more at risk than others. The following are some of the top targets:
“Ransomware is increasingly targeting organizations within the healthcare industry,” Raja asserts. “These organizations often have thousands or even tens of thousands of gigabytes of patient data they cannot afford to lose. This makes them all the more willing to pay handsomely to get their data back at any cost.”
The sheer volume of healthcare data breaches from 2016 supports this claim, with at least one breach having occurred every single day. This resulted in more than 27 million patient records being affected. In fact, the dark web became so saturated with patient records during this time that the price per record actually dropped significantly.
In addition to harboring coveted patient data, it’s also true that healthcare facilities aren’t always equipped to ward off such attacks, increasing their vulnerability even further.
“Cost-cutting measures have left many healthcare institutions relying on legacy hardware, software or operating systems with unpatched vulnerabilities ripe for exploitation,” explains Brad Shaw, president and CEO of Dallas Website Design.
The healthcare industry is also a likely candidate for another very prominent reason. “It is still transitioning from paper to digital records,” offers Alayna Pehrson, digital marketing strategist at BestCompany.com. “Cyber security is lacking in this field due to healthcare’s short-term digital presence.”
2. Higher education
The higher education industry is another mecca of personal data hackers are eager to get their hands on. From Social Security numbers, addresses and potential password information to loan and bank credentials, attacks on colleges and universities are becoming more and more common.
In 2015, for example, 1.35 million identities were exposed to higher education cyber attacks. A glance at the decade prior reveals that higher education was actually the industry sector with the highest number of breaches, with a total of 539 breaches involving nearly 13 million records.
Higher education institutions are a near-ideal target for attackers, Pehrson explains, due to the sheer amount of information they store on each student and parent associated with the school.
Consider some of the most recent high-profile cyber attacks within this industry:
- In July 2015, Harvard University revealed information regarding a data breach that impacted at least eight of its colleges and administrative offices.
- In May 2015, Penn State informed the public of two distinct breaches of its computer system, which compromised the information of at least 18,000 people.
- In March 2014, the personal information of nearly 300,000 past and present students of the North Dakota University System was hacked, resulting in compromised names and Social Security numbers.
- In February 2014, the University of Maryland experienced a massive data breach that impacted a database containing the personal information of every student to attend the school since 1998.
- Also in February 2014, the Social Security numbers and addresses of 146,000 current and former students of the University of Indiana were compromised in an attack.
While improvements are actively being made to better equip the higher education industry to ward off such breaches of data, the computer systems operated by colleges and universities are designed to embrace access with minimum security interference for ease of use for students and parents. It’s also true that top-of-the-line cyber protection can be extremely expensive—something not all institutions have the budget for.
“The energy industry is one of the largest industries at risk of cyber attacks,” Ferderer offers, explaining that they usually have equipment that is separated by miles of empty space. “Hackers can try to tap into energy networks by driving near them, or even from far away.”
Take, for example, the recent instance in which researchers from the University of Tulsa discovered just how easy it is to hack an entire farm of wind turbines. All it took was less than a minute of lock-picking on one unsupervised turbine’s door to gain access to the unsecured server closet within.
From there, the researchers could drive away into the miles of uninhabited, rural fields and use their laptops—which they’d connected to via the server of that singular turbine—to instantly access a list of IP addresses representing every single networked turbine in the field. A simple pick of a lock and some inexpensive equipment was all it took to gain access to networks that would allow them to send commands to entire wind turbine networks, an increasingly popular form of American energy production.
In other instances, hackers can cause widespread power outages to undermine critical defense infrastructure, risking the health and safety of millions of citizens at a time. Some reported breaches have even targeted natural gas pipeline companies in both the U.S. and Canada that manage more than half of all pipelines available in the Western hemisphere.
“The electric power grid and power generation facilities—[including] nuclear power plants—are controlled by technology and communication systems that could be disrupted, hacked or controlled in a cyber attack,” explains Maria Santagati, founder and CEO of Stratball.
The energy sector plays a crucial role in the functioning of a modern economy. When compromised, citizens’ personal data may not be at risk, but the state of our economy is put in grave danger.
4. Small businesses
Many small business owners do not take cyber security nearly as seriously as they should.
“Most large corporations have the infrastructure in place to thwart cyber attacks,” explains Gene Caballero, co-founder of GreenPal. “Small-scale companies either don’t have the proper resources or simply don’t believe they are at risk when it comes to cyber attacks.”
In his time selling security software at a Fortune 50 tech company, Caballero saw far more small businesses get attacked from smaller amounts of ransomware than large corporations.
The statistics support Caballero’s experience. In early 2017, it was reported that approximately 14 million small businesses had been hacked over the preceding 12 months. About half of today’s cyber attacks actually target small businesses—these attacks may not make national headlines, but hackers know a few things to be true: Small businesses are ripe with valuable data, they are less likely to have strict security measures in place and their owners are more likely to pay ransoms to restore their critical data.
It’s also true that it is much more difficult for small businesses to recover from cyber attacks than it is for larger corporations. About 60 percent of small businesses that fall victim to attacks go out of business within six months.
With that in mind, the best thing to do is protect your business before an attack occurs. Cyber security pros suggest performing regular software updates as a general first step. If possible, it’s also smart to enable two-factor authentication, perform regular backups of company data, create strong passwords that you change every couple of months and maintain quality antivirus software on all company computers.
What can you do to improve cyber security across industries?
As has been made clear by the testimony of our web experts, virtually every industry faces some level of risk when it comes to cyber attacks. This live attack tracker from FireEye does an excellent job of showing the very real and consistent number of attacks being launched every day.
If your interest has been piqued by learning more about the size of this worldwide cyber security problem, you may be curious to learn more about how you can put that interest into action. Learn more about the exciting career opportunities to help combat cyber attacks in our article, “Information Security Careers: Become the Next Cyber Superhero."