Threat Thursday: Breaches, Attacks, and Exploits
What is Threat Thursday, you ask? The last Thursday of every month, my colleague Chris Goettl and I get together for 45 minutes of pure, unfiltered security chit-chat. We talk about active cyberattacks and data breaches, how to best defend yourself, security strategy, and more. It’s all lighthearted, loosely formatted, and a lot of fun.
But don’t get us wrong. We understand IT security is a serious business – that’s why we spend most of the time ensuring you have the right measures in place to stay protected and take plenty of time of to answer any questions you might have.
Here’s what we’ve got on tap for Thursday, September 26:
It’s Drafty Down There: Healthcare Exposures
In August, patient data had more exposure than a hospital gown. More than 700,000 records were leaked in 44 separate data breaches. It wasn’t a backdoor attack (sorry, another gown joke), instead threat actors successfully used phishing attacks to target vendors serving healthcare systems and healthcare systems directly.
Why healthcare? Medical records are among the most valuable PHI and PII available on the dark web. According to Experian, individual medical records can be worth up to $1,000 depending on the information they contain. In contrast, the average credit card record usually fetches anywhere from $1 - $10.
It’s About to Get Expensive
Recovering from these breaches is insanely expensive. According to figures from IBM and Ponemon, it costs providers $408 per medical record to recover from a data breach. That’s the highest among verticals and nearly double what it costs for organizations doing business in the financial industry – the next closest group on the list.
Furthermore, organizations can cost themselves more money with misplaced security initiatives. According to IBM and the Ponemon Institute, in their 2019 Cost of a Data Breach report, third-party breaches, compliance failures, and extensive cloud migration all add at least $300,000k on to the average cost of a data breach, which in the US is roughly $3.92 million.
Our Expert Security Recommendations
Chris and I suggest doing the following to combat these attacks:
- Phishing training – or, if you’re already doing this, perhaps educating your users on how hackers are gaining access to these records
- Vendor risk management – remember, these attacks normally begin at the vendor level
- Privilege management – what level of access do you vendors and users have to your system?
- Email security – we’ve seen a lot of these attacks in the form of an email that looks like it’s from a manager or a boss
- Two-factor authentication – a second layer of defense is a must
- Incident response planning – referencing the IBM/Ponemon chart, there’s a lot to be said about how this one initiative can offset the total cost of a data breach
Perhaps the one silver lining to these data breaches is the actual data from the fallout. Risk managers can now more accurately predict what an attack could cost their organization. Something to keep in mind considering that all organizations can expect to suffer a data breach once every ten years.
What’s Worse Than a Root Canal
What’s the best time to go to the dentist? Tooth-hurty. Ok, sorry about that, but I couldn’t resist. What’s worse than that joke? Perhaps a root canal. What’s worse is having the root canal AND learning that you’re the victim of a data breach.
We briefly touched on this in the last Threat Thursday, but we’re continuing to see ransomware attacks targeting dental service providers. This is boutique ransomware, too. Highly customized, not some simple kit you can buy on the dark net.
We know that at least 400 dentist offices nationwide were locked out of their systems and prompted to pay up or risk losing all their data. It’s pretty smart considering that individual attacks on dental offices would take a lot of work. So why not go after the same software used in hundreds of dental offices, on thousands of devices.
Here’s our advice:
- Don’t pay the ransom – seriously, there’s no guarantee the threat actors are going to free your data
- Backup and recovery
- Patch vulnerabilities
- Restrict admin privileges
- Vendor risk management
What’s on Our Radar
There are some other newsmakers out there. Check out some of the stories we’re following as we head in October:
- Microsoft urges Windows users to install emergency security patch – TechCrunch
- World of Warcraft DDoS attacks – The Express
- Fear of election hacking in 2020 – Reuters
- Nearly every single Ecuadorian had their data hacked – Miami Herald
Also, get more insights from me, Chris and our colleagues at Forrester, Crowdstrike, Kenna Security and Morphisec. Register for the FREE, Cybersecurity Virtual Event on October 23, 2019.