IBM Security’s annual X-Force Threat Intelligence Index uses data derived from across our teams and managed customers to gather insights about the topmost targeted industries every year, helping organizations manage risk and resource investment in their security programs.

When it comes to managing digital risk and facing potential cyberattacks, each industry faces its own unique attack landscape, as different threat actors, motivations, assets and geopolitical events drive adversarial activity in each sector.

To map the most targeted industries, IBM used data insights from 2020 attacks to look at what can be expected in 2021. The data showed finance, manufacturing and energy at the very top of a list of targeted sectors.

Top 10 industries

Figure 1: Top 10 industries by attack volume, 2020 versus 2019

While finance has been a topmost constituent on that chart for the past five years, the manufacturing and energy sectors saw a hike in attacks, jumping five levels from their respective 2019 rankings, as if turning a pyramid on its head.

Manufacturing — ranked as the eighth most attacked in the 2019 report — jumped to second place in 2020. This may be driven by the interest malicious actors have in targeting infrastructure with connections to operational technology (OT). Similarly, energy jumped from ninth place in 2019 to third place in 2020, further underscoring attackers’ focus on OT-connected organizations in 2020.

Health care jumped from last place in 2019 to seventh place in 2020, probably driven by COVID-19- related health care attacks and a barrage of ransomware attacks against hospitals. Transportation continued to drop in 2020, falling to ninth place, compared to third in 2019. This could be related to less transportation utilization during the pandemic.

Why were the top-ranking sectors attacked that much more in 2020? Attackers could be seeking organizations where they could either steal more money with less effort, applying pressure for high-stakes returns or where they could inflict kinetic damage.

Download the Report

The types of attacks that were most prevalent in each sector differed:

  • The financial sector was affected by a large portion of server attacks, data theft and some ransomware cases. These attack types are coherent with attacker motivations in targeting organizations that move money around a lot. Paralyzing banks is less of a goal but accessing internal systems can yield hefty illicit returns, highlighting the need for robust banking cybersecurity.
  • In the manufacturing sector, where every minute of downtime is a costly matter, there was a high proportion of ransomware attacks, indicating threat actors sought to disrupt operations in places where the pressure to pay a ransom would be great. In 2020, the manufacturing industry also became more critical than ever, with the production of personal protection equipment and other critical supplies. The sector saw increased activity across the globe, which could have been a reason for attackers to target it at its busiest time, launching data theft and business email compromise (BEC) attacks on manufacturers across the globe.
  • In the energy sector, 35% of attacks were data theft and only 6% involved ransomware, likely indicative of threat actors who are after intellectual property, customer data or ways to extort organizations. Another popular attack type in this sector was the BEC attack.

Figure 2: Percentage breakdown of industry attacks by type, per X-Force incident response data, 2020

Highlights from 2020’s top 10

A breakdown of the top 10 most targeted industries also features retail, professional services, government, health care, media, transportation and education. While it ranked seventh in 2020, the number of attacks on health care more than doubled compared to 2019 and almost a third of all attacks on the health care sector were ransomware cases. The health care sector is going through extremely challenging times, having to respond to a global pandemic while increasingly being targeted by sophisticated cyber crime and nation-state threat actors out to disrupt and steal data from organizations in this industry.

Another sector where ransomware reigned supreme was the government sector — 33% of attacks on government entities involved ransomware. But while this attack type looms large, according to a 2020 IBM Security study, only 38% of state and local government employees are trained on ransomware prevention, with one in six respondents disclosing their department was impacted by a ransomware attack. This data is a call to action for government security teams to prepare and train for the possibility of an attack on their networks, especially in a work-from-home era.

The education sector was heavily spammed and also saw ransomware attacks target its networks, in many cases leaving schools unable to continue operating until the situation was resolved. These attacks did not only target higher education; K-12 schools were also affected, making pandemic-era studying difficult.

Figure 3: Top attacked industries in 2020 as a percentage of attacks on the top 10 industries

Per industry breakdown

The 2021 X-Force Threat Intelligence Index further breaks down the types of attacks in each industry and the trends that shaped them. The following sections provide a summary of each of the top 10 constituents:

1. Finance and insurance

Roughly 28% of attacks on finance and insurance in 2020 were server access attacks, and 10% of attacks involved ransomware.

Since 2016, the finance and insurance sector has been ranked as the most-attacked industry, a position it continued to hold in 2020. Financial institutions experienced 23% of all attacks IBM X-Force analyzed in 2020, up from the 17% of attacks the sector experienced in 2019.

2. Manufacturing

We saw 21% of ransomware attacks happen against manufacturing. Four times more BEC attacks were experienced in manufacturing companies than in any other industry.

Manufacturing ranked as the second most-attacked industry in 2020, up from eighth place in 2019, and received 17.7% of all attacks on the top 10 industries — more than double the 8.1% of attacks it experienced last year. Threat actors’ renewed focus on manufacturing — the industry also ranked second in 2015 and third in 2017 — underscores its attractiveness as a target, especially for ransomware, BEC and remote access trojan attacks.

3. Energy

Roughly 35% of attacks on the energy industry were attempted data theft and leaks.

Having suffered 11.1% of attacks on the top 10 industries in 2020, energy ranked as the third most attacked industry, up from ninth place the year prior. Server access attacks on the energy sector hit organizations hard in 2020, and this industry came in fourth place after health care for the highest number of such attacks.

4. Retail

And, 36% of attacks on retail were credential theft; 18% of attacks on retail were ransomware.

The retail industry ranked as the fourth most attacked in 2020, down from second place last year, and received 10.2% of all attacks on the top 10 industries, down from 16% last year. As a hub of credit card payments and other financial transactions, retail has long been a target of choice for malicious threat actors.

5. Professional services

We saw 35% of attacks on professional services in 2020 from ransomware attacks — a higher percentage than any other industry suffered; 13% of attacks on professional services were data theft and another 13% were server access attacks.

Professional services ranked fifth on the top-10 list of the most attacked industries of 2020 and absorbed 8.7% of all attacks on the top-10 sectors — holding its same rank as in 2019 while dropping slightly from 10% in 2019. Professional services organizations are particularly attractive to attackers because of the avenue they provide to additional victims and confidential data they typically hold on people.

6. Government

More than one-third (33%) of attacks on government were ransomware — the second highest percentage out of all industries; 25% of attacks on government were attempted data theft and leaks.

The public sector — including defense, public administration and government-provided services — ranked as sixth most attacked in the 2020 ranking, receiving 7.9% of all attacks on the top-10 industries. This places the government sector in the same spot as its 2019 ranking, when it suffered 8% of attacks on the top-10 industries. From IBM X-Force incident response data, it appears that ransomware attacks plagued government organizations the most in 2020, followed closely by data theft.

7. Health care

During an especially stressful year for this sector, health care saw 28% of attacks start with ransomware infections; 17% of the incidents observed in the sector involved CVE-2019-19781, a risky vulnerability in the Citrix Application Delivery Controller.

In terms of its ranking in 2020, health care ranked seventh on the most-attacked industries chart, having absorbed 6.6% of all attacks on our top-10 list — up from 10th place and 3% of attacks in 2019. This is an appreciable jump and reflects the onslaught that health care received as the COVID-19 pandemic unfolded, from ransomware attacks to threat actors targeting COVID-related research and treatments. These types of threats continue to affect health care and health research organizations in 2021 and must be a call for even more vigilance as attackers remain relentless in their operations against the sector.

8. Media and information communications

A whopping 90% of malicious domain name system (DNS) squatting targeted the media, the most spoofed industry.

The media, telecommunications and information communications industry came in at eighth most attacked in 2020, targeted by 5.7% of all attacks on the top 10 industries — down from fourth place last year, when it received 10% of attacks. This sector includes telecommunications and mobile communications providers, as well as media and social media outlets that can play a critical role in political outcomes, especially during election years.

9. Transportation

The transportation sector experienced 5.1% of all attacks in 2020, down from 10% in 2019; 25% of attacks against transportation in 2020 involved a malicious insider or misconfiguration. Unlike manufacturing, transportation significantly dropped in its top-10 ranking, placing ninth, down from third place in 2019 and second place in 2018. It is possible that with travel bans across the globe, this sector was not as lucrative to attackers during the first year of the COVID-19 pandemic.

10. Education

Half (50%) of the attacks on education in 2020 were spam or adware; 10% of attacks were ransomware. The education sector ranked as the 10th most attacked in 2020, receiving 4% of all attacks on the top 10 industries. This moves education down from the seventh-most attacked position in 2019, when it received 8% of all attacks.

Although this sector saw a smaller portion of attacks overall, it is also a more vulnerable sector where security budgets are humble, but risks are prolific. Students and staff make for a large attack surface that’s decentralized and harder to control, making schools and universities all the more susceptible to cyberattacks.

To learn more about your organization’s sector, download the 2021 X-Force Threat Intelligence Index and stay up to date on IBM X-Force’s security research blogs by visiting: www.securityintelligence.com/category/x-force.

More from Threat Intelligence

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today