Healthcare was the most frequently targeted industry for cyber attacks in 2015, with the highest security incident rate, surpassing financial services and manufacturing, according to a new IBM Security Services report.
2015 was also a watershed year for healthcare information security due to another sobering fact—five of the eight largest healthcare security breaches since the beginning of 2010, those with more than one million records reportedly compromised, took place during the first six months of 2015, the report states. More than 100 million healthcare records were reportedly compromised last year.
“Packed with a wealth of exploitable information, electronic health records fetch a high price on the black market. They typically contain credit card data, email addresses, social security numbers, employment information and medical history records—much of which will remain valid for years, if not decades. Cyber thieves are using that data to launch spear phishing attacks, commit fraud and steal medical identities,” the report authors wrote.
IBM Security Services’ 2016 Cyber Security Intelligence Index report provides an overview of the threat landscape, including the type and volume of cyber attacks, which industries are most affected and factors enabling attackers.
Authored by members of the IBM X-Force research team, Nicholas Bradley, Michelle Alvarez, David McMillen and Scott Craig, the report is the result of IBM X-Force researchers analyzing cyber attack and incident data from IBM’s worldwide security services operations across more than 1,000 client organizations in 100 countries.
The same research team in last year’s report coined 2015 “the year of the healthcare breach,” and it proved to be accurate. The fact that healthcare shot straight up to the top spot in the security incident rankings in 2015 is noteworthy given that the industry wasn’t even in the top five in 2014.
In 2015, the average client organization monitored by IBM Security Services experienced approximately 53 million security events annually, 35 percent fewer events than clients experienced in 2014. And, the average client company experienced 1,157 attacks in 2015, down from 12,017 in 2014. However, according to report authors, that reflects “specific and continually optimized policy tuning on the part of security analysts” and the authors noted that the vast majority of security events can actually be designated as “noise” or extremely low priority traffic.
The average client company experienced 178 security incidents in 2015, up 64 percent from the 109 that were discovered in 2014.
Nearly half of security incidents in 2015 across all industries were the result of unauthorized access. Research data indicates that a vulnerability known as Shellshock was behind last year’s surge in unauthorized access attacks. In the report, unauthorized access attacks are defined as various types of attempts to break into a network, a server or a database, such as exploiting a vulnerability to inject command code into software, exploiting a backdoor or bombarding a system with random passwords in hopes that one will work.
According to the IBM X-Force research report, 60 percent of all attackers were carried out by “insiders,” or those with insider access to organizations’ systems, up from 55 percent in 2014. However, in this report, “insiders” included malicious insiders as well as inadvertent actors. An inadvertent actor might be someone who is duped in a phishing scam or lured into opening a malware-laden email attachment.
“Although the insider is often an employee of the company, he or she could also be a third party. That includes business partners, clients or maintenance contractors, for example. They’re individuals you trust enough to allow them access to your systems,” the authors wrote.
On a positive note, in 2015, the number of attacks carried out by inadvertent actors (one-third of the 60 percent of insiders) dropped from 2014 (one-half of insiders were inadvertent actors). The report authors note that a reduction in the number of attacks attributed to inadvertent actors could mean that “more organizations are implementing security policies and employee education—and that they’re doing a better job of communicating what’s expected and why it’s important.”
The report authors note that security leaders are realizing that neither “checking the box” to address compliance requirements, nor conducting annual penetration testing and incident response exercises are by themselves sufficient approaches. “Today’s CISOs and security leaders are now looking for fundamental ways to influence and improve both their own programs and established best practices—because they know that simply being compliant isn’t acceptable for a well-governed organization.”
The report also outlines a number of steps organizations should take to develop a strategic cyber security strategy program, beginning with prioritizing business objectives and setting the organization’s risk tolerance.
Information security leaders also should protect their organizations with a proactive security plan, which requires both technology and policy. Along with protection, security leaders and CISOs also should prepare a response to the inevitable, a sophisticated attack. “With the constant evolution of advanced persistent threats—and a growing presence of hackers intent on finding a vulnerability—it’s fairly certain that your organization may eventually fall victim to a data breach. Having a coordinated and tested incident response plan is critical at a time like this, as is access to the right resources and skills,” the report authors wrote.
In addition, security leaders should promote and support a culture of security awareness.