Every chief information security officer (CISO) faces ongoing threats to his or her company’s assets. While some threats apply to every industry, IT security specialists in the health care, financial services, and energy and utilities sectors need to pay more attention to industry-specific security risks. Although these threats are most prevalent in the aforementioned sectors, businesses across all industries are prone to similar vulnerabilities and should adhere to the same security guidelines.
A Labyrinth of Health Care Security Risks
Electronic medical records (EMRs) are the standard for patient data and highly simplify record storage, updates and retrieval. At the same time, cybercriminals have found an enhanced market for stolen medical records worth as much as $10 per record — that’s 10 to 20 times the value of a credit card record. Medical records typically include Social Security numbers, medications used and addresses that can help attackers in a variety of illegal efforts.
Because the intent of the EMR is to facilitate wide access, CISOs charged with guarding medical records need to protect against endpoint penetration originating from public facilities such as hospitals, clinics, private physicians’ offices, pharmacies and millions of individual patients. Users can gain access through a variety of devices, and a wide range of individuals may access various aspects of a patient’s records for different purposes.
These variations present a labyrinth for security professionals and a playground for cyberthieves. The Health Insurance Portability and Accountability Act (HIPAA) makes CISOs responsible for these data environments, which are open to audit by the Office for Civil Rights (OCR) in the U.S. Department of Health and Human Services (HHS).
The Fourth-Party Threat in Financial Services
The financial ecosystem has become highly complex as digital transactions connect financial institutions with their customers, and those customers connect digitally with their own clients and vendors. This complexity expands the CISO’s range of potential targets beyond traditional third-party relationships to include fourth-party providers of financial data connections.
As the number of relationships escalates, so does the difficulty of monitoring and assessing the vulnerability of each financial participant. The security capability of the service providers handling the third-party’s transactions can impact the security of your customers and potentially expose your data.
The U.S. Federal Trade Commission (FTC) has investigated and taken action against a number of companies that failed to provide adequate protection to their customers. CISOs need to understand their exposures and expand their abilities to evaluate all segments of the financial chain.
Emerging Urgencies in Energy and Utilities
The energy sector is investing heavily in smart meters and intelligent distribution systems. As a result, infrastructure is increasingly reliant on intelligent computing services to manage the power grid from generation to consumption. That reliance on computing networks presents CISOs with new challenges because every node represents a possible entry point for malicious activities. In particular, Internet of Things (IoT) devices such as smart meters may not have the robust security protection needed to defend against persistent attacks and could become gateways to the larger grid management systems.
The stakes are high when it comes to the possible failure of the electric grid. According to Natural News, experts have estimated that a collapse of the U.S. energy grid could kill 90 percent of Americans “through starvation, disease and societal collapse.” CISOs in the energy and utilities sector need to validate all endpoints for secure protection and build sophisticated intrusion intelligence into their operating processes.
All CISOs Should Mind Industry-Specific Security Threats
Every industry has its own set of concerns when it comes to cybersecurity. These examples represent some of the largest and most widely used and, by extension, the biggest targets for cyberattacks. All CISOs need to assume their environments are at risk to the same extent, even if their business doesn’t fall within one of these broadly defined categories.