Data breaches are costly for any type of business. For smaller enterprises, especially, a data breach can cost a company to go out of business entirely. Among industries, the healthcare industry is by far the leading sector targeted by hackers.
We don’t have to look far to know that this is true. WannaCry, Petya, NotPetya all had devastating impacts on the healthcare industry, infecting computers, and medical devices around the world.
But where do other industries fall in terms of cost? A report from IBM shows that the most costly data breaches (per-record cost) are in health ($380), financial ($245), services ($223), education ($200), and life science ($188) industries.
This blog post will investigate the reasoning behind why these industries contain the most costly data breaches.
As mentioned, healthcare is by far the most targeted by hackers. It yields the most profit in many cases. Malicious actors can use healthcare data to create fake IDs to buy medical equipment or drugs that can be resold, or they can combine a patient number with a false provider number and file made-up claims with insurers. Often, medical identity theft is often not immediately detected by a patient or a healthcare provider, giving hackers years to use the data fraudulently. That makes medical data more valuable than credit cards, which unlike passwords that can be changed quickly or credit cards that can be frozen once fraud is detected.Finally, hospitals rely heavily on healthcare applications and network connectivity so if hackers successfully lock down computer systems for ransomware, there is more willingness by these companies to pay up. During the COVD-19 pandemic, this has proven to continue to be a major issue for the healthcare industry.
The financial industry consists of a wide range of services like retail banking, insurance, investment management, brokerage, and payment processing. The financial industry opens up many possibilities for hackers to steal data, such as usernames and passwords, that allows them to withdraw money, open lines of credit, commit online fraud by imitating a legal entity, and more. Unlike healthcare organizations, hackers that target financial organizations cut an intermediary step, going instead straight to the source to make monetary gains instantly.
Transactions are made every day, so it’s become easier for hackers to infiltrate POS (point-of-sale) systems to gain access to cardholder information and other sensitive information. Buyers who are on the web face even more risks. Online shopping has made it easy for fraudsters to target the services industry. Fortunately, in many cases, consumers have fraud alerts set up on their cards and can easily freeze their cards. Finally, many online users who are cyber aware now have the habit of checking their online accounts for suspicious activity, so the cost per record is less than in healthcare and financial organizations.
According to the FTC (Federal Trade Commission), one of the top complaints that organizations receive is identity theft. Because higher education institutions function semi-autonomously, the databases contain an attractive range of PII (personal identifiable information) like social security numbers and healthcare records information of students, alumni, staff, administrators, which can be used to commit identity theft. In some cases, the information extracted by hackers is valuable enough to be sold on the dark web. Educational institutions vary in size but some may be holding millions of PII, therefore, making them an attractive target for hackers. The education sector has also seen a rise in cyberattacks during the COVID-19 pandemic. (Check out our checklist for secure access tips!).
Sensitive information is always enticing to hackers. However sensitive information doesn’t always have to be in the form of PII like social security numbers, or home addresses.For example, biotech and pharmaceutical firms hold valuable data that is highly sensitive and perhaps not meant to be shared with the public. This can include data relating to clinical trials, corporate know-how, drug pricing, and other information, which many would deem “valuable.” This data could be sold on the dark web in some cases where hackers could monetize advanced information by translating it into gains on the stock market.
The last few years have seen at least five mega-breaches, and when it comes to the cost per record it can vary between industries. Hackers see the potential in this and are driven by this lucrativeness to try and sell it on the dark web. Hackers’ motivations may not always be transparent but targeting organizations with the most profitable data seems to be an evident pattern. What other industries do you think might eventually make their way to this list?