Cyberattacks are often motivated by the desire to steal and sell sensitive data, such as credit card and financial records, personally identifiable information (PII) including social security numbers, or protected health information (PHI). Once obtained, this data can be readily sold on the dark web to be used in fraudulent transactions, or for illegal activities such as credential stuffing attacks.
In addition to financially motivated attacks, we’re also seeing the rise of disruptive attacks. In many cases, the goal of these attacks was nothing more than the disruption of normal operations along with resulting brand equity damage and loss of public trust. Most alarming is the potential loss of life and public safety if critical services are disrupted. Healthcare, financial services, and retail are often the targets of disruptive attacks due to the high-value data they store and their critical economic and public safety roles.
Growing Threats to Healthcare, Financial Services, and Retail
The massive growth in interconnected devices, systems and networks driven by digital transformation and the resulting expansion of the attack surface is making it even more difficult to detect and mitigate disruptive attacks against critical national infrastructure organizations. The risk is that traditional, bolt-on security implementations and the resulting accidental architecture is simply incapable of detecting and mitigating campaigns of targeted attacks.
Higher levels of complexity and the lack of integrated, built-to-purpose security is compounded by the ease of access to a wide range of cyber weapons and threat services. Indeed, the rise of efficient, highly sophisticated dark web markets has significantly reduced barriers-of-entry for cybercrime. Threat actors are leveraging the same data analytics, artificial intelligence, and machine learning used by legitimate organizations to develop and launch ever more effective attacks and campaigns. In our recent Threat Landscape Report for Q2 of 2018, exploit detections per firm nearly tripled, unique exploit detections grew another 9 percent, and an alarming 96 percent of companies saw a severe exploit. This research also shows that rwhile ansomware and IoT vulnerabilities remain major threats, cryptojacking is emerging a serious threat vector.
Minimizing Risk Through Regulations
As a response to the growth of sophisticated threats, regulatory bodies have issued guidelines and standards to ensure necessary cybersecurity processes and controls are in place across the healthcare, financial services, and retail industries to minimize the impact of an attack. To ensure compliance with these various regulations, organizations must build out the technical infrastructure required to secure data, as well as the processes to report on compliance status.
- NIST Cybersecurity Framework
The recently updated NIST Cybersecurity Framework is a collaborative effort between the US government and private sector organizations to provide cybersecurity best practices along with a framework for managing risk. It’s predicted that 50 percent of U.S. organizations will use this framework by 2020, including those in healthcare, retail, financial services, and all sectors of critical national infrastructure.
Organizations are able to tailor this framework to meet their specific business and security needs. It is made up of five core functions that help organizations establish a cybersecurity strategy. Next, the framework establishes the processes and controls necessary to manage and mitigate cyber risks. Finally, based on this information, the framework profile assists organizations with identifying where cybersecurity must be improved upon, as well as how to prioritize those initiatives. The most recent version of the framework also includes updated recommendations surrounding authentication, cyber risk assessments, and vulnerability disclosures.
While the NIST Cybersecurity Framework is applicable in a broad range of public and private organizations, there are also regulations for specific industries.
Healthcare providers are bound by the Healthcare Information Portability and Accountability Act (HIPAA) to take measures that protect the PHI of patients. Specific to protection against cyberattacks, the Security Rule outlines standards to protect electronic PHI through operational and technical controls that enforce patient confidentiality. Healthcare organizations must be able to demonstrate HIPAA compliance to avoid fines as well as potential legal action in the event of a breach.
While HIPAA is considered the primary regulation in the space, several new healthcare guidelines and regulations have also been recently introduced by Congress and the FDA, including the Internet of Medical Things Resilience Partnership Act and the Medical Device Cybersecurity Act of 2017.
- Financial Services
The financial services sector is subject to several regulations and guidelines from the Financial Industry Regulatory Authority (FINRA) that require written policies and procedures be submitted regarding the protection of consumer information from cyberattacks. These regulations also outline rules for the detection and mitigation of threats that can compromise consumer identities.
More recently, financial services firms are being regulated at the state level. For example, firms in New York must now comply with the 23 NYCRR 500 cybersecurity regulation issued by the Department of Financial Services. This requires banks to have a thorough cybersecurity plan and enforces the disclosure of cyber incidents within 72 hours.
Since the financial industry is recognized as a critical infrastructure around the world, there have also been multiple developments in the global regulation of financial cybersecurity.
The retail industry is largely targeted for the consumer credit card data it stores. As a result, retailers must adhere to PCI DSS – The Payment Card Industry Data Security Standard. These standards provide guidance on how to store and transmit payment information to minimize the risk of data breach and fraud.
To keep data secure and maintain compliance, organizations in these industries must deploy security controls that meet regulatory requirements, as well as generate compliance reports that prove adherence.
Cybercrime, like all crime, happens because it pays, and those rewards, whether monetary, political, or social media notoriety are growing. With the risk of ever greater financial losses and public safety damage, organizations should undertake the holistic security approaches outlined in a variety of industry standards and regulations. Irrespective of which risk management strategy or security control is implemented, the key is to use an integrated and automated security architecture with deep visibility and control that can also operate at speed and scale. Current network ecosystems stretching from the IoT edge, across enterprise networks, and out to multiple cloud service providers are far too distributed for traditional manual prevention, detection, and response solutions.
In addition, the explosion in the number of connected devices, platforms, and systems means that manual asset and vulnerability managemet are no longer adequate. It’s increasingly clear that the velocity, variety, and complexity of cyber attacks requires organizations to implement integrated and interactive security fabrics that can adapt to rapid network change, keep pace with today’s threat actors, and also demonstrate compliance with industry and legal requirements. It should also be noted that compliance alone is no longer an effective security approach. Indeed, the new series of standards and regulations require organizations to demonstrate a reasonable level of due care in implementing solutions and controls to detect and mitigate threats. Security fabrics designed around integrated devices that collect and share data in conjuction with best-in-class intelligence to enable automated detection and response is a practical approach for today’s most challenging cyber threats.