This article is a part of BG BrandLab’s Cybersecurity Special Report, meant to provide insights about today’s cyberthreats and the steps readers can take—as  individuals, employees, and decision-makers—to protect against them.

Cybersecurity threats and protection best practices transcend region. But there are some specific factors Boston-based business leaders need to be aware of, including the rise of attacks targeting the healthcare sector and the new risks posed by internet-connected devices.

Potential losses are rising, too. The average total cost of a data breach in the US is $8.19 million, more than double the worldwide average, according to the IBM Security 2019 Cost of a Data Breach Report. This reflects a 130% increase over the past 14 years.

The bigger the breach, the bigger the losses. But crimes targeting smaller companies are also increasing. The 2018 State of Cybersecurity in Small and Medium Size Businesses study, conducted by the Ponemon Institute and sponsored by Keeper Security, found that 67% of companies surveyed had experienced a cyberattack, yet 47% of respondents had no idea how to protect their organization. One of the first steps they should take is understanding the threats they are up against.

Bad guys are getting “better”
Samuel Sanders Visner, director of the National Cybersecurity Federally Funded Research Center at the MITRE Corporation and an adjunct professor at Georgetown University, where he teaches a course on cybersecurity, says cyberthreats are more technically sophisticated than ever before.

Advancements include an increase in “zero-day” attacks—attacks which exploit computer software vulnerabilities that are unknown to the people and businesses trying to reduce risks by creating security updates (patches). Advancements also include polymorphic malware, which change its appearance after it penetrates a network, making it difficult to detect.

Perpetrators are also investing more time in their attacks, demonstrating unprecedented persistence and discipline in their efforts, says Visner. Some criminals work hard getting to know a network before making their move, and criminals and nation-state actors can persist undetected for periods ranging from months to years.

It is odd to think of cybercriminals as innovating, but that is what they are doing. Udi Mokady, founder, chairman, and CEO of CyberArk, a Boston-based cybersecurity company says businesses need to be “nimble and proactive when it comes to securing their infrastructure and assets.” They need to work as hard as their adversaries.

Mokady noted bad actors have access to more sophisticated strategies and tools than they have had in the past. The commoditization of TPPs, the industry acronym for tactics, techniques, and procedures, has heightened the risk level for businesses. “Once primarily available to nation states, these tools are now easily accessible by criminal organizations and less well-funded attack groups. This means it no longer takes a nation state to execute a highly targeted attack.”

Attack motives and targets vary
Attack motives vary depending on the adversary. Sometimes, it is a foreign state, terrorist group, crime ring, or an individual attempting to harm national security or undermine our institutions. Other times, they are after trade secrets. As such, tech hubs like Boston’s Route 128 are at risk since they have intellectual property (IP), explains Visner. Or, the criminals may be financially motivated, targeting financial and personal data in the hopes of selling it on the dark web or using it to hold a company hostage via ransomware attacks. 

Cybercriminals sometimes strive to upset an organization’s supply chain by attacking unsuspecting third parties, such as their technology or service providers. “While many organizations may not see themselves as a prime target for attack, they must consider their role as a potential stepping-stone for an attacker to get into a larger enterprise or government organization,” says Mokady.

Visner believes cybercriminals sometimes target the private sector to test out capabilities before a larger attack. North Korea’s attack on Sony Pictures, for example, was likely a show of force, but also, a test run. Visner also cites a hacker attack on a little-known steel mill in Germany—another confirmed case in which perpetrators used purely digital tactics to physically harm equipment. It may have been a training of sorts, and “it forces the US and our allies to take into account what an adversary can do it if chooses.”

Stakes are high for healthcare

The Verizon 2019 Data Breach Investigations Report, which is based on an analysis of 41,686 security incidents, found that healthcare organizations are targeted more frequently than financial organizations and almost as often as the public sector. Attacks in this sector are also more costly than any other vertical, according to IBM’s 2019 report.

Taylor Lehmann, chief information security officer (CISO) at athenahealth in Boston and former CISO for Wellforce, a health system that includes Tufts Medical Center, Melrose Wakefield Healthcare, and Circle Health, says attacks on healthcare organizations are increasing, in part, because health data has value in dark markets. Additionally, criminals realize that if they can access and prevent certain data or systems from functioning correctly, they can render healthcare organizations unable to deliver care. They reason that if this happens, the victim will be compelled to pay the requested ransom—and quickly.

Historically, healthcare organizations have focused their investments on efforts directly tied to the delivery of patient care, which sometimes left important programs, like cybersecurity and resiliency, under-funded. But Lehmann sees signs this is improving. A number of organizations, including Beth-Israel Lahey Health, and Boston Medical Center have taken steps to build and sustain cybersecurity programs, such as hiring CISOs and scaling their information security teams. His own budget at Wellforce increased considerably year over year.  

More devices, more risk
A growing number of companies are adopting internet-of-things (IoT) devices to serve business functions, from medical devices in hospitals, to large-scale manufacturing systems. These systems are usually intended to run for a decade or more, which “drastically outlives the manufacturers ability to keep the devices secure,” says Mike Pinch, director of threat management at Security Risk Advisors, a cybersecurity consulting firm that does work in Boston.

Additionally, these devices lack typical security software so they are hard to monitor. Business owners must become adept at identifying all of the devices on their network, “protecting them through network segmentation, and validating that through regular penetration testing,” Pinch explains.

When you are your own worst enemy
Information networks and system architecture have become increasingly complicated, which means businesses need to spend more time and attention managing them, says Visner. That is not happening. Often, successful attacks exploit vulnerabilities the company knew about but did not address, even though patches were available, in some cases.

Companies need to consider internal threats, too. The healthcare sector also stood out in Verizon’s report because 59% of its security incidences were caused by internal actors. Companies should take steps to protect themselves from their employees by limiting permissions to business-critical data and tracking all access attempts.

Even well-meaning employees can put their organizations at risk, with simple missteps, such as clicking a nefarious link or not guarding system credentials. Lehmann adds that businesses also create vulnerabilities by failing to procure the security talent they need to guide their decision-making and protect their company.