Cybercrime is on the rise and virtually every industry is being affected in some way. However, some industries appear to be more susceptible than others. Let’s take a look at the industries believed to be the most attractive to cybercriminals, why, and what they can do to prevent a breach.
1. Insurance industry
Insurance companies typically generate high volumes of data from their many customers. Legislation requires that insurers retain their data on existing and old customers, so these organisations are required to retain and secure old data for an extended period of time. However, as technology has progressed, many insurers have moved or are moving away from legacy systems, replacing them with more current, digital systems.
The challenge is that more than often, insurers can’t migrate old data from a legacy system and as such, the data is kept in these older systems in the event it may be needed again. However, maintaining both legacy systems and new systems doesn’t make financial sense as it is a costly exercise. Insurers typically do this anyway as keeping the data – old and new – is a compliance requirement. Unfortunately, legacy systems aren’t always able to keep data properly secure, either due to the costs or due to system support becoming end of life.
These old systems become a prime target for cybercriminals as they contain a wealth of personal and financial information for cybercriminals to use. Due to the lack of continued maintenance on them, they are easier to infiltrate. The data isn’t going anywhere anytime soon and often lies (relatively) unprotected.
In addition, cybercriminals can access ID information, addresses, property and car information and even customer financial data, using this information to commit identity theft, fraud, and blackmail.
Insurers need to be aware of what data they have and where it sits, whether it’s on current or legacy systems. Insurers need to build a solid and mature security and risk management program around this information to prevent breaches as best as possible.
Regulatory compliance can help insurers gain a view of their data and where is it located within the organisation, enabling them to build a strategy that ensures data is protected no matter where it resides.
2. The travel industry
Most individuals have heard stories of fraudulent transactions where flights are purchased using stolen credit card details. The fact is that online payments within the travel industry are very easy for cybercriminals to manipulate due the level of detail required which is minimal and the security checks for secure transactions aren’t always in place.
Similarly, it’s still common practice for hotels to request a guest’s credit card details at the time of booking or checking in, in order to process payment at check out. Although convenient, this poses a risk as hotel groups often store a number of credit card details – including CVV numbers – at any given time.
The travel industry is slowly digitalising, however, it is a lengthy process. Recently, a major air carrier experienced a system failure that required the processing of travellers’ details manually. Beyond the risks associated with manual transacting, cybercriminals were able to access the carrier’s systems and take advantage of their dependence on technology to infiltrate the system and steal a vast amount of data. Cybercriminals are clearly taking advantage of the gaps between old systems and full digitalisation.
Nevertheless, there are many industry standards and payment regulations that are being imposed on the travel industry to curb data theft. However, as with the insurance industry, there are massive amounts of data that travel agents, airlines and even the hospitality industry retain possession of – both current and old.
Compliance with these standards and regulations can help the travel industry to identify chinks in their data systems armour and ensure they cover them adequately. Compliance is, after all, about meeting at least the minimum requirements to secure and protect data.
Businesses operating in this industry should ensure that systems are reviewed and updated regularly, retaining old data only as long as necessary and protecting it while the data is in the businesses’ possession. Importantly, travel agents and hotels should modernise their systems, adding layers of protection to secure customers information.
The travel industry should also avoid instances where customer credit card information is retained and, if there is no other recourse, organisations within the industry should ensure they offer the right protection and authentication to safeguard their customers.
3. Government
There is not enough information to ascertain what level of protection government institutions have in place to protect citizen data. However, the number of paper-based processes seen in public facing departments gives an indication of the level of digitalisation – and the outlook isn’t encouraging.
Government departments hold large amounts of incredibly sensitive data. Beyond personal information, some of these departments also have access to military information, state-owned enterprise data, and highly confidential records of valuable resources, utilities distribution and town planning. Cybercriminals, especially of the cyberterrorist variety, are desperate to access this information.
Most government organisations are also exempt from regulations such as the Protection of Personal Information (PoPI) Act, meaning that there is no way for citizens to verify that their data is protected, nor do these organisations need to disclose any data breaches. Digitalisation of infrastructure and systems is crucial in order to keep a firm finger on the pulse of the entity’s data.
The upshot?
Prevention is better than cure. Regardless of the industry, organisations need to do everything within their power to protect its own information, and that of their customers. Regulations can assist in achieving this by enforcing certain measures that organisation have to have in place to achieve minimum security.
Additionally, organisations should also have solid security, data and risk management strategies in place and are encouraged to liaise with compliance specialists to help identify where their weak points are and how to mitigate them.
It’s also vital to have a combination of the right processes, systems and programs in place, incorporating security awareness, patch and vulnerability management, end point protection and data management. These can be tailored to meet the individuals demands of each industry, providing a mature platform to prevent cybercrime proactively, as well as a strategy to react to a breach in the event that one happens.
By Simeon Tassev, Managing Director and Qualified Security Assessor at Galix Networking