The target of the next cyber-attack could be you

Moreover, the energy, healthcare, and retail sectors are significantly more vulnerable to cyber-attacks. In recent years, KPMG has noticed a similar growing trend in Estonia and Scandinavia, where non-IT-oriented sectors often lag considerably behind in cyber security matters.

Unfortunately, no one can afford such shortcomings any longer, as most attacks are financially motivated. For ransomware attackers, a company’s assets, such as manufacturing equipment, intellectual property or medical devices, are as lucrative a target as disrupting an online environment or encrypting data assets.

Moreover, there is a rising and heightened interest in the energy and health sectors among state-sponsored attackers. Examples include ransomware attacks against Universal Health Services, the largest hospital network in the United States, and similar incidents in Estonia. The latter have come to public attention through the Estonian Information Systems Authority and other sources and point to numerous attacks on Estonia’s energy and healthcare sectors.

Attackers are on the hunt for data

It must be noted that all companies have data that are potentially of great interest to attackers, although the company itself may not be aware of it. The main targets for attackers are personalised customer and employee data, intellectual property and anonymised customer data.

The purpose of data capture is usually to sell it on the black market or to cross-correlate it with other data, which adds value to the captured dataset. Data breaches pose a wide range of risks for companies. On the one hand, they face reputational damage and potential loss of trust. On the other hand, there are potentially considerable financial penalties resulting from both national regulations and the GDPR, for example.

Companies should certainly pay attention to risks entailed in cloud services and overly complex security systems. Implementing new solutions or over-complicated systems may pose a threat instead of the desired additional security. Risks are particularly high if such solutions are not supported by adequate cyber security knowledge and skills.

For most companies, having all required capabilities in-house would be rather difficult and unreasonably expensive, especially when a company operates mainly in the manufacturing, energy, healthcare or another sector that is not closely related to the IT sector and when it does not operate globally. A practical solution here would be to look for a reliable service provider who can offer a world-class service.

With a trusted partner, it is possible to respond quickly to incidents that have already occurred and improve cyber security by means of red-team testing, which simulates real attacks to help identify a company’s or organisation’s IT vulnerabilities.

The following are five key measures to help companies prevent data breaches and reduce their impact:

• incident response testing;
• putting in place and testing business continuity plans;
• setting up an incident response team;
• red-team testing (simulation of real attacks);
  
• training of staff
  

Impact of COVID-19

Even though COVID-19 does not spread in cyberspace, it does have a significant impact on companies’ IT situation today and will continue to have an effect in the future. Most companies agree that creating a capacity for remote work is a risk for them. As a result of setting up remote working arrangements, the time it takes to detect a data breach will likely lengthen in the coming years, and losses associated with data breaches will likely increase.

Companies that can get secure solutions and working arrangements in place now will have a significant competitive advantage in the future. Certainly, COVID-19 has also increased the vulnerability of many small retailers, as many online stores were launched quickly to survive the emergency situation.

Ultimately, the responsibility for the customer data collected through an online store remains with the merchant, be it a large regional chain or a single boutique.