The number of cybersecurity incidents has risen sharply over the past two years: The compulsive digitization projects during the pandemic years left many organizations’ perimeters in shambles. Now, Russia’s war of aggression – which might go down in history as the first truly hybrid war, fought fiercely both on traditional and on cyber battlefields – is threatening these vulnerable infrastructures. This has not gone unnoticed by the political players and federal agencies of the transatlantic alliance: On both sides of the Atlantic, administrations are vehemently advocating holistic security approaches, be it in White House Executive Orders, the compendia of the German BSI (Federal Office for Information Security) or the British National Cyber Strategy.
A common component of the ambitious government frameworks is their holistic approach to cyber defense, leveraging principles such as Zero Trust, Least Privilege and Security-by-Design to help companies build stronger and more resilient environments and applications – and thus, to protect their assets and strengthen the overall economy. However, most IT teams in the private sector are understaffed, and many lack the cyber security expertise required to make this kind of fundamental changes to their IT and security stacks. This could prove fatal, especially for vendors in five select industries which represent especial attractive targets for attackers. Let’s take a look at these branches, and discuss how players in these sectors can confidently ensure a high degree of protection by following the Center of Internet Security’s (CIS) Critical Security Controls and Privileged Access Management (PAM) recommendations.
Financial Services Industry
The financial services industry has always been a prime target of cybercriminal activity. The attacks are usually financially motivated. In the worst case, a successful breach might even grant the attackers direct access to the deposits of bank customers and investors. In addition, most financial institutions also manage vast amounts of sensitive, highly valuable data for their customers: from personal financial data and business-critical information to insider information or data from data-driven businesses.
To exacerbate matters, the financial sector is currently undergoing a dynamic, if not disruptive, digital transformation: An agile swarm of aggressive young challenger banks is setting itself apart from the traditional market with innovative digital service offerings, forcing established institutions to digitize at full speed as well. All of this is rapidly increasing the dependency on technology and data across the industry, and the growing attack surfaces offer hackers countless new attack vectors.
The healthcare industry has also been one of the top targets for cybercriminals for many years. After all, healthcare providers’ servers arguably hold the most sensitive and tightly regulated data in the world – and these are of enormous value.
According to recent studies, healthcare saw a 200% year-over-year increase in cyberattacks in the first pandemic year alone. At a staggering 97%, web application and application-specific attacks accounted for the lion’s share of malicious activity. This can be attributed to the newly opened network infrastructures: During the pandemic, both medical staff and patients have increasingly started to access central resources as part of telemedicine concepts, and while this often improves patient care, it also creates additional points of attack.
In addition to the ubiquitous identity theft and ransomware attacks, cyber reconnaissance is playing an increasingly important role in healthcare institutions and healthcare research. A prime example is the recent attack on the European Medicines Agency (EMA), where attackers illegally accessed confidential vaccine documents.
Let us have a look at the most unexpected entry on the list: According to several recent studies (e.g., the “Hiscox Cyber Readiness Report 2021” by specialist insurer Hiscox and Forrester Consulting), almost half (46%) of construction companies have been the victim of a cyberattack.
Even though many experts believe that the construction industry has been very reluctant to digitize, there is no doubt that more and more business processes are being shifted to the IT world. And as is always the case when digitizing, caution is advised: Anyone who is working with construction plans, project evaluations, and other confidential information needs to apply due diligence to avoid damage and financial losses.
The example of French construction company Ingérop illustrates how big the damage potential in the construction industry really is: In 2018, around 65 gigabytes of data were stolen from Ingérop via a German server – including a large number of documents from critical infrastructure facilities such as nuclear power plants and nuclear waste repositories, high-security prisons, and public transport networks, not to mention personal data from over 1,200 employees.
IT and Telecommunications Industry
The recent cloud and digitization boom has permanently changed the ICT industry and made it much more relevant, but also more complex. Multiple surveys document that a vast majority of IT executives worldwide consider the sprawling complexity of the tech stack as a major problem in their organization. They also expect cybercrime to increase in 2022: With the rapid rise of mobile endpoints, smart IoT devices, and open APIs, the volume and value of data processed worldwide will increase significantly and the companies’ attack surface will also continue to grow. ICT companies must therefore take care not only to advance their products and infrastructures but also to continuously optimize their security stacks.
Small & Medium Businesses
Last year’s digitization boom has fundamentally changed small and medium-sized companies: To maintain business continuity during the pandemic, extensive investments in new digital equipment were required – just think about hybrid workplaces –, which could not be postponed and were often carried by governmental digitization initiatives. However, these digitization projects were rarely accompanied by similarly ambitious security investments, so there is a lot of catching up to do in terms of cybersecurity.
While most large companies employ dedicated staff or entire departments for cybersecurity, SMEs are often inadequately protected due to a lack of resources: Only about half of them have access to well-rounded in-house security experts. For attackers, this naturally represents an attractive target, the proverbial “path of least resistance”.
So, SMEs have their work cut out for them: Despite their limited budgets, they need to mitigate potential attack vectors as comprehensively as possible. This also means they must prepare for the worst-case scenario – a successful breach – by preventing lateral movement through their network.
Privileged Access Management for a Secure Access
As different as the five industries may be, the majority of cyberattacks follow the same pattern: First, the attackers gain access to the network, often by stealing or phishing credentials. Then, they move laterally from system to system, escalating their access rights until they find the company’s crown jewels. These are then stolen, encrypted, or destroyed – depending on what promises the highest profit.
The only real protection against these kinds of attacks is a stringent Privileged Access Management (PAM), specifically for privileged accounts with far-reaching rights. The foundation of this strategy is the so-called least privilege principle, which also is a important component for Homeland Security’s Cybersecurity and Infrastructure Agency (CISA), as well as for the German BSI and the British National Cyber Strategy: Authenticated users are always only granted a minimum level of privileges for a limited period – and precisely get the access rights they need to fulfill their current task. A robust PAM solution should also support strong multi-factor authentication (MFA) and a seamless password management strategy, e.g., with automated password updates for network accounts and the secure storage of critical credentials in secure vaults. This allows IT teams to successfully restrict access to critical data such as infrastructure accounts, DevOps access, or SSH key pairs. For optimal protection, Red Team trainings, advanced audits, and dedicated employee trainings have proven effective in protecting against social engineering.
CIS Critical Security Controls
While most organizations have some PAM components in place, most lack a comprehensive strategy that addresses the issue holistically and offers full protection. This is why the non-profit Center for Internet Security (CIS) provides a set of holistic best practices through its regularly updated Critical Security Controls Framework (CSC). The 20-point framework helps companies put every aspect of their cybersecurity to the test. Particularly relevant for KRITIS-regulated companies: The current eighth edition puts a strong focus on the topics of “Access Control Management” and “Privileged Access Management” and includes multiple actionable recommendations for security practitioners to protect their privileged accounts and to implement a consistent cybersecurity strategy.
As recently as March 21, 2022, Joe Biden explicitly warned about Russian cyberattacks and called on companies to “harden your cyber defences immediately”. The powerful choice of words underscores the high level of risk that political decision-makers currently perceive. Cyberattacks have been on the rise for many years, but both the pandemic and the war could exponentially accelerate the threat levels. Organizations looking to ensure safe and resilient operations need to rethink their cybersecurity approach, and to position themselves more securely in cyberspace. This is especially true for enterprises from the financial, healthcare, construction and ITC sectors, as well as SMEs. These five are among the prime targets, and need to be aware of the relevance of their assets and data. Implementing a holistic PAM strategy is a very effective and quick measure to improve the security posture. In the long term, however, companies need revise their entire security stack along current best practices – and thus set the course for failsafe and resilient business operations with low operational risks.