Skip to main content
General

Which Industries Are the Biggest Security Targets?

By August 16, 2020No Comments

How is your industry faring in the cyberwar we all seem to find ourselves in? Are you wondering, which industries are the biggest security targets? Well, if you are in the healthcare, manufacturing, education, financial services industry, or a government agency, it’s not so good, we’re sad to report. For example, this comes from statista.com and is seconded by infosecinstitute.com who say: ‘security awareness is an on-going program for all organizations who wish to maintain a high level of security in their processes.’

Industries such as the ones listed above provide target-rich environments with potentially devastating ripple effects if adversaries win. In view of this, how do we combat cyber threats and keep ourselves, our industries, and our companies safe? The answer is more of a re-juggle of current priorities than a newly conceived cure-all.

Which Industries Are the Biggest Security Targets?
The Problems We Face

Business and security leaders the world over face the same dilemma: as they increase investment in sophisticated security, cybercrime continues to rise.

In fact, 95% of attacks on business networks are the result of successful spear phishing, according to SANS, as reported by Security Intelligence. This upward trend continues. In addition, according to Avanan’s phishing statistics, 1 in every 99 emails is a phishing attack. So, this means that 4.8 emails received, per employee, in a five-day work week is a phish. Our collective minds just exploded.

Working against phishing then, it would seem, should be a top priority for most–if not all–industries and their comprising businesses. But alas, we live in a world whereby complexity is seen as clarity and doubles up as a selling-point. Companies the globe over are implementing feature-rich, utility-poor defenses that miss the mark on a basic level, therefore failing by virtue. Avoiding solutions that cause more disruption than the problem, should always be a basic principle to adhere to.

The Common Denominator

So, what is the basic concept that we shall henceforth tout as the ‘cyber savior’? Man-alive and by jove, what do you know, this blogpost may just have the answer…

*Drum roll*
*Continuing drumroll*
*Drumroll nears end…*

People. The training of people and the implementation of agile process. In other words: institutionalize security awareness. Make it part of your culture.

This often-overlooked base layer of security, when implemented well, can greatly reduce the probability of a successful attack in many of the cases history provides us. It will likely help deter the types of attacks we’ll continue to see. Security awareness training and frequent simulated social engineering testing is a base layer defense. It is simple and it is effective. ‘Cause and effect’ become ‘test and defend’. I know what you’re all thinking: “Here comes the sell!” But, no. It’s but a statement that all of us at SECOM hopes does not fall on deaf… eyes(?). The greatest security weakness, which is unarguably people, can transform to become security’s biggest proponent and defender. That being said, we do offer training on this. Its results driven and time effective.

A Formula

A solution for the problem, holistically, does exist though: People can only be the defense if they are privy to the landscape and armed with the right defensive strategies. The landscape must not outgrow the strategies and the strategies must not needlessly outperform the landscape. In other words, it’s a balance. Over-performing for the sake of performance can easily turn into security by theatrics. And you’ve just given your adversaries indication and insight into your organization’s war plan.

Defense from Formula: Create a Threat-aware Workforce

All of this provides a nice segue into what we can actually do to defend our companies and ourselves in the age of cyber warfare: while it’s true that cybercrime continues to rise as investment in cyber security defenses increases, the advantage under the approach outlined here, shifts toward defense. It’s no secret that defending is more expensive than attacking, but the best approach isn’t the counterpunch; it’s the building of resilience. We believe that resilience is people-centric:

  • Test;
  • Determine points of weakness;
  • Train and build processes;
  • Rinse and repeat.

Doing so won’t prevent attacks, however it can minimize their damage resulting in lesser injury and it results in a good foundation from which to grow. It is also true that defenders are being challenged to a far greater degree than ever before which is in part due to these sparse by volume, but material factors:

  • ever-increasing numbers of internet-connected devices used
  • singularly high levels of information-sharing online
  • the advancement of cyber-criminals

Investing in People

While a defender has to find and plug all security holes, an attacker need only find one. Low cost tools that can be used for good, but are transformed into the instrument of the enemy ensure success comes often to an attacker. Staying secure is, therefore, not easy. But, again, the light can meet the dark and slowly outshine it with one fundamental step: investing in people.

To invest in people, you first must know their weaknesses as a whole. Physical testing in conjunction with social engineering is not superfluous; it’s basic. Testing people to ascertain the likelihood of them inadvertently aid phishing attempts (see this post on how good phishing programs should be executed) is not surplus to security; it’s where security starts. There’s no use having an ultra, all-the-trimmings, all-the-tech, all-the-features security perimeter if one person can reduce it to ashes with one, single click.

The Takeaway!

In summary, feature-rich utility-poor = bad; additive simplicity through training and process = good.

Fight the good fight. Keep your defenses tight. If people really are the weakest link and can undo the most expensive and expansive security measures in just a click, it stands to reason they require the most focus to facilitate progress.

Sources:
https://www.sans.org/reading-room/whitepapers/threats/paper/37910
https://www.avanan.com/global-phish-report
https://www.statista.com/statistics/273572/number-of-data-breaches-in-the-united-states-by-business/

Image:
https://unsplash.com/@jcgellidon

Tags:

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now