Mapping cyber risk across different sectors

Cropped shot of a young businessman looking thoughtful while working on his laptop in the o
Getty Images

Cybersecurity is a concern for organizations of all types, but each vertical sector has its unique security challenges. The Orange Cyberdefense Security Navigator 2021 report highlights some of these by identifying differences in security incidents across various industry sectors.

Threat watchers often see specific campaigns targeting key verticals. Sometimes these elevated threats stem from changing business conditions. For example, in May 2020, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), along with the UK's National Cyber Security Centre, warned of targeted attacks against healthcare and essential services that were already under pressure as they struggled to cope with the immediate effects of the COVID-19 pandemic.

While many sectors covered in our report experienced a relatively even distribution of security incident types, confirmed security incidents in healthcare were heavily biased towards network and application incidents. These are suspicious incidents stemming from events such as unexpected tunneling sessions or alerts from intrusion detection and prevention systems.

Healthcare providers also suffered a high proportion of incidents relating to unauthorized information disclosure, especially worrying given the highly sensitive nature of this data and the heavy regulations that apply to this sector.

A financial phishing spree

Finance and manufacturing were also areas of particular interest in our report. Finance experienced a higher rate of social engineering than most other verticals at 11% of all incidents for this sector. This high figure is due in part to a special effort among financial services companies to detect this type of incident. They use advanced, sensitive mechanisms to spot social engineering attacks, giving us high visibility into those incidents.

According to Orange Cyberdefense data, the finance sector seemed especially appealing to phishing attackers, and we saw this reflected in industry events and advisories. For example, in May 2020, broker-dealer regulator FINRA warned members of a widespread phishing campaign using a domain that contains the FINRA name but which was unrelated to the organization. It distributed malicious PDF files and used bogus websites that collected victims' passwords.

Finance also suffered the most denial of service (DoS) attacks, although overall rates of these incidents across all sectors were relatively low.

Manufacturing grapples with technological changes

Malware represented 20% of security incidents in finance, but the manufacturing sector beat it with 27%, making it the third-heaviest sufferer of malware attacks. Ransomware has hit the manufacturing sector hard, most notably affecting Norsk Hydro in December 2019. Garmin, Jack Daniels manufacturer Brown-Forman, and notebook vendor Compal all suffered highly public attacks this year.

Manufacturing also detected the third-highest rate of system anomalies, at 11%. These are suspicious events relating directly to the operating system and other components it depends on, like hardware drivers. At 10%, Manufacturing t also represented the third-highest number of policy related incidents, which include violations like installing unsupported software or connecting an unauthorized device to the network.

This relative prominence of device and operating system-related events reflects some of the challenges facing the manufacturing sector. With the rise of internet-connected automation in manufacturing, manufacturers must deal with profound technology changes. They must connect more legacy systems like industrial process controllers and manufacturing equipment systems, known as operational technology (OT), to administrative IT networks.

The cadence of firmware patches in the OT world has been far slower historically than the rate of patches in IT networks, and manufacturers must resolve the difference in approaches between these two technology realms. This challenge leaves 87% of manufacturers concerned about unauthorized access, warned the Manufacturers Alliance for Productivity and Innovation (MAPI).

Education, real estate, and retail suffer

Other sectors saw confirmed security incidents focusing on different areas. Education joined healthcare in recording a disproportionate amount of network and application incidents. This industry recorded a high proportion of suspicious outbound connections that could indicate infected machines. Other organizations have seen a marked rise in attacks against education providers. The UK's National Cyber Security Centre even issued an alert about a spate of ransomware attacks on UK academia during the summer.

Accommodation complemented its lead in the proportion of social engineering incidents with the highest relative level of malware, comprising 41% of all incidents. This may be because the two things are linked. Social engineering via phishing is a common way for attackers to get their malicious software onto victims' systems.

Real estate was proportionally the next hardest hit by malware attacks after accommodation, making up 28% of its security incidents. This sector bucked the trend, reporting far fewer application-related incidents than almost all other sectors, at just 11%, but also detecting far more system-related incidents than any other sector at 31%.

Malware also featured heavily in the retail and trade sector, comprising 23% of incidents. This incident category has historically been a problem both for bricks-and-mortar stores and for online operations. Physical outlets' point-of-sale terminals have been compromised in the past, and more recently, groups such as Magecart have been found compromising ecommerce websites to insert malicious code that steals customer credit card details.

Accommodation and food services led in terms of account-related incidents, which made up 26% of this sector's incidents. Real estate, along with professional, scientific, and technical services, ranked joint second among those suffering these kinds of incidents, which are typified by credential stuffing and brute-force attacks.

Professional services also came joint third in social engineering incidents, which are closely linked to account anomalies. This sector is particularly vulnerable to attack because some of its companies are rich feeding grounds for attackers. Legal companies, for example, deal with sensitive documents relating to multiple clients, making them attractive targets. The UK's National Cyber Security Centre has warned about the dangers facing this particular community.

Tackling sector-specific cybersecurity issues

Our report's figures identify occurrence rates across different incident types, but verticals with high incident rates are not necessarily more vulnerable to them. Instead, a high incident rate could mean that a sector is better equipped to detect these kinds of incidents and therefore to deal with them.

Conversely, just because we see lower rates of an incident in a sector, it doesn’t follow that those incidents aren’t happening. It can simply mean that the sector isn’t as adept at detecting them. In these cases, we can often infer one kind of incident from high rates of another. For example, in a sector that doesn’t exhibit lots of social engineering incidents, a high level of malware infections might point to undetected phishing attacks used to place the malware within the perimeter.

All business sectors face their own specific mix of threats and cyber risks. This means each industry requires its own specific set of solutions. Being aware of the most observed incidents definitely is a good idea, though generally the highest volume does not automatically indicate the biggest threat to business. To really evaluate how security budget is most wisely spent, one has to look deeper than just considering industry averages. We recommend that you get professional advice specific to your individual business.

Download the Security Navigator here

Related:

Copyright © 2021 IDG Communications, Inc.

8 pitfalls that undermine security program success