More Than 600 Government, Healthcare and Finance Organizations Breached

[fa icon="calendar"] Oct 19, 2016 10:55:08 AM / by David Geer

hacker-laptop-code.jpgThree market sectors could suffer millions to billions in losses. As of early October 2016, the ID Theft Center reports that hackers breached 601 organizations in the government, healthcare, and finance sectors as well as the business category. These attacks exposed more than 28 million records. Based on estimates of $200K to $4 million in losses from a data breach, the total cost of these breaches could range from $120 million to $2.4 billion.

As the size and costs of these breaches increase and more and more consumers are affected financially and medically, institutions continue to look for solutions to plug the holes that let hackers in.

Organizations need to know both the security gaps that remain and how to fill them in order to shrink the breaches and the damages.

Security Gaps
The gaps in government cybersecurity seem to consist of the same low-hanging fruit that hackers have always sought. This year, those easily-reachable, breached morsels have included lost flash drives, default passwords, and people susceptible to social engineering.

Hackers are targeting healthcare more than any other industry. Gaps in healthcare cybersecurity include a lack of encryption and an increase in ransomware.

Hackers are cashing in on cracks in financial firms’ armor. The finance sector finds itself barraged with attacks on security flaws such as lapses in proper encryption and weaknesses in mobile banking.

Filling the Gaps
To secure data with respect to flash drives, government agencies and anyone else really should avoid using these devices for high-value data, including credentials or other data that enables hackers to reach high-value data. Use extremely secure flash drives that come with very strong encryption such as 256-bit ciphers / keys, strong PIN technology, and the ability to lockout users after they fail to use the correct PIN.

Always change default passwords as these are generally available online. Train everyone in measures that assure no one gets through using social engineering whether hackers attempt it by phone, email, or in person. Use stringent measures and policies to ensure your people thoroughly confirm the identity of anyone they provide with information. Certain types of information should never go out by any means.

Healthcare institutions must encrypt data in transit and at rest. Use very strong encryption that includes 256-bit keys / ciphers. Avoid using encryption software that has a record of being subverted.

Hospital systems and medical concerns need to apply many layers of preparation and protection to mitigate ransomware. Use and update anti-spam, anti-virus, anti-malware, and behavioral security tools, which can at least block known forms of ransomware based on behavior and signatures. Educate employees on all the signs of sites and messages / emails that potentially are insertion points for ransomware click bait and on how they must respond when these appear.

Backup all data off-site using tools that are entirely segmented from on-site data stores. This should prevent hackers who encrypt your on-site / production data through ransomware from encrypting your backups, as well. Keep backups of golden images of all drives and settings secure in the same way so you will still have these to quickly reimage affected hardware and systems.

Financial services must encrypt all PII, financial information and access, and other precious data using very strong encryption. To address weaknesses in security for mobile banking such as open, unsecured Wi-Fi hotspots, untrustworthy or questionable apps, and malware, consider three-factor authentication including a one-time use security code for every login, delivered by phone, text, or email. Use consumer education including recommendations for phone-based security software and training in recognizing social engineering. Develop secure mobile apps using secure coding practices and tools.


 Read more about closing the security gap with behavioral analytics

Download Now

Topics: Finance, Healthcare, Government

David Geer

Written by David Geer

David Geer writes about security technologies for CSOonline.com and other publications. His website is www.davidgeer.com