Monday, Oct 11, 2021
BY: J.R Cunningham - Chief Security Officer
There are lots of basic, cybersecurity hygiene rules. Strong authentication, proper cybersecurity training, and patching software are good guidelines that everyone should follow. When you dig into the nuances of effective security, though, it quickly becomes apparent that one size doesn’t fit all.
Cybersecurity threats create business risk, and the National Association of Corporate Directors handbook on cyber-risk oversight boils down the management of those risks to basic questions. These include what an organization’s most important assets are, what kinds of threat actors are likely to come after them, and what the legal and disclosure implications are if the attackers succeed.
Such questions might seem very basic, but the answers will differ across industries based on sector-specific priorities. Those responsible for keeping supplies moving, such as upstream oil and gas companies, are primarily concerned with availability. Downtime and service disruption is their biggest fear. Conversely, companies that safeguard sensitive information, from news organizations to defence contractors and legal firms, focus more on confidentiality. Some organizations grapple with both kinds of risk. Healthcare providers, for example, must keep systems running while also protecting the most sensitive kinds of personal data.
The threat actors targeting these sectors also differ in their approach. Organized cybercrime groups from the former Soviet Bloc tend to have financial motives, whereas other state-linked groups are after military and industrial secrets. Other groups, either state-sponsored or hacktivist-based, simply seek to disrupt.
Attackers are dedicated followers of fashion
Just as legitimate business follows broad, industry trends, threat actors follow fashions by targeting different industries over time. These trends stem from the maturity of different sectors and the success of criminal trend setters, along with the evolution of back-end monetization techniques that make certain kinds of stolen data more fashionable.
Attack trends are often protracted and marked by milestone events, such as the spate of retail attacks on dozens of large retailers in the early and mid-2010s. These attack cycles don’t end abruptly. Instead, they tend to overlap and morph. Attacks on retail never really went away, but they evolved as attackers found new techniques such as Magecart’s use of skimming attacks on e-commerce sites in the late 2010s.
The gradual uptake of chip-and-pin technology in the US and Europe didn’t eliminate the market for stolen credit card details from retailers but it did help to shift attention to personally identifiable information (PII). That heralded a focus on other industries such as healthcare, which suffered some shocking attacks over the last decade. More recently, we’ve seen a spate of attacks on companies such as Colonial, considered a core part of the critical national infrastructure.
Responding with an industry approach
With these differences in mind, how do you find an industry-based approach tailored to your sector and company type?
There’s no shortage of industry-agnostic security frameworks, from NIST’s Cybersecurity Framework to the Center for Internet Security’s Critical Security Controls (CIS) and ISO’s 27001 standards for information security. These are all laudable sources of information, but they’re huge undertakings with many generic controls, and many companies won’t have the internal resources to tackle them all.
This is where a surgical approach to cybersecurity pays off. Focusing on the most prominent risks and controls for your industry will give you better security for the finite resources available. There’s a sector-specific framework for most industries, whether it’s the Payment Card Industry Data Security Standard (PCI-DSS) for retail, the healthcare sector’s HIPAA and HITECH regulations, or state-level financial regulations such as New York’s 23 NYCRR 500.
Sector-specific frameworks – many of which are mandatory – offer clear guidance on where to invest your time and effort. Once mastered, your organization can tackle voluntary, cross-industry frameworks. Your appetite for this will depend on your risk tolerance and the resources you have left.
Ransomware – a threat all its own
This industry-specific approach also applies somewhat to ransomware, although this cybercrime model has blurred many of the boundaries that previously delineated cybersecurity risk across different sectors.
As ransomware evolves, it poses multiple risks that span different sectors. Manufacturing and energy companies must worry about disruption as it threatens to shut down operations. Double-dipping attacks now steal data before encrypting it, risking confidentiality. It’s the Swiss Army knife of attack tools, able to target any industry with pertinent risks.
We can look at ransomware attacks in two stages: pre- and post-breach. Companies’ vulnerabilities will still be a product of their sector-specific traits, which will affect which assets are most important, where they’re located, and the infrastructure that houses them.
A managed services provider’s key assets are its customers’ services. It will be primarily concerned with securing endpoints, tightening access among its customers, and segregating client environments to avoid a ransomware attacker using it as a vector to compromise countless clients. A manufacturer will focus on different assets and outcomes, even though some of its protective measures might be similar.
When a ransomware breach happens, however, the concerns and responses will be similar across different industries. Restoring operations and evaluating the danger of data being made public will be priorities.
Ransomware is such a large threat that it stands out as a cross-industry area of focus. This is where targeted protection methods, such as NIST’s forthcoming Cybersecurity Framework Profile for Ransomware Risk Management, will come in useful. It’s one more thing to worry about, but something no company can ignore, no matter what industry they’re in.
Ultimately, cybersecurity isn’t a flip you can switch. Instead, it operates on a continuum with companies gaining more maturity across a range of technical and organizational areas over time. You must choose which areas to prioritize based on your sector-specific traits.
Nuspire’s managed security services acknowledges this from the beginning. We map threats and cybersecurity controls to your specific industry during the onboarding process, tailoring a security posture that reflects your company’s needs and focuses on continuous improvement. It gets you better protection, faster, against ransomware and many other dangers. After all, why be a jack-of-all-trades when you can master security from the beginning based on your specific industry needs?