As technology advances and our world becomes increasingly connected more industries are developing and growing their online presence. All businesses and organizations can benefit from the communication and outreach possibilities that the internet provides.
However, being online also entails risks, especially when it comes to cybercriminals.
To address the risks of cyberattacks the nonprofit Center for Internet Security (CIS) provides useful tools and resources to keep organizations and individuals safe on the internet. Among the most powerful and useful of these are the Critical Security Controls, which are beneficial for all users on the World Wide Web. However, certain aspects are especially useful for those in certain industries due to the specific risks they face.
This guide will walk through what industries can benefit most from these controls, and how.
Which Industries Face the Most Risks?
As cybercrime continues to grow in sophistication, volume, and severity some interesting trends have emerged. Several industries face disproportionate risk because of the sensitivity of data they harbor and the systems this data connects to. Cybercriminals can use information for direct profit via theft, ransom, and other illicit activities.
Today, industries that are most commonly threatened by cyberattacks include:
Let’s take a look at what cybersecurity issues these industries face and why.
Since healthcare institutions are the source and home of some of the most important documents—from health records to birth certificates—they are ideal targets for cybercriminals seeking valuable personal information. In addition, their immense resources and critical importance to the public makes them vulnerable to extortion.
- In 2019 cyberattacks cost the healthcare industry a combined $4 billion dollars
- Over 90 percent of healthcare organizations have experienced breaches since 2016
- More than 300 million records have been stolen since 2015
- One in ten healthcare consumers are impacted by these attacks
Despite the fact that the healthcare industry is booming many individual hospitals and practices suffer from tight security budgets. Outdated cybersecurity and general computing software is a rampant problem in this otherwise cutting-edge industry.
Banks, credit unions, and other financial institutions are among the most frequently targeted businesses for cybercrime. While attacking non-financial institutions can grant access to individuals’ bank accounts, hacking the banks themselves saves steps and makes the crime more efficient.
While many of the larger institutions have increased their efforts and investment into cyber defense, the threat of hacking remains.
One of the most insidious risks entails retirement funds, which are designed to be low-maintenance and offer consumers the convenience to “set and forget” for years. Hackers have exploited this convenience, adding a secondary bank account to an individual’s retirement fund and funneling money out of it over time.
Educational organizations, especially institutions of higher education, host large swaths of data for all students, faculty, and alumni over their vast networks. Cybercriminals can then leverage this information to continue attacks on individuals or larger-scheme plots against the institutions at large.
The most significant education data breach occurred in 2015, when attacks on various colleges and universities compromised the privacy of over 1.35 million individuals.
Some factors that make educational institutions especially exposed targets include:
- Universities’ systems are designed to prioritize accessibility
- Nonprofit and public institutions’ competitiveness isn’t compromised by leaks
- Private universities and colleges lack oversight
- All higher education institutions face funding and budget concerns
While universities and colleges are among the largest harbors of valuable data, this combination of factors makes the industry among the least equipped to handle attacks.
While the vast and varied network of small businesses is not an industry per se, it is a major sector of business within the US. And while it might seem intuitive that smaller businesses’ relatively smaller assets are less attractive to hackers than bigger businesses, this is far from the truth. In fact, per data from Verizon, a whopping 28 percent of all data breaches in 2020 so far have involved small businesses.
While small businesses often have fewer funds and process less data than large corporations, their security systems are also less robust. And many small businesses have little to no cybersecurity in place at all.
For businesses big and small the CIS can be helpful in getting your defense system up and running.
How Can CIS Help?
There are tons of tools made available for free by CIS for companies and businesses of all sizes. Among the most widely used are the CIS Benchmark offerings and the CIS controls.
CIS offers benchmarks for a variety of different software, including but not limited to:
- Operating systems
- Mobile devices
- Web browsers
- Network solutions
Whereas the benchmarks offered by CIS are specific standards to measure your software against, the controls offer a more holistic set of principles to guide your overall approach to cyber defense.
CIS Controls Framework
The CIS controls is a publication that is currently in version 7.1. It compiles cyber defense best practices according to experts from various industries.
The list of controls leverage real data from actual past attacks to prepare you for defense against future ones. It maximizes the reduction of harm and risk by encouraging uniformity of metrics and continuous analysis. It also privileges efficiency, including automation wherever possible.
These 20 controls are the best way to protect your business from all types of cybercrime, no matter what industry you’re in. They’re broken down into three categories, beginning with:
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Maintenance, Monitoring, and Analysis of Audit Logs
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Data Recovery Capabilities
- Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
- Implement a Security Awareness and Training Program
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
Each of these controls offers a general action or attitude that your organization should adopt. Going further, each control involves a number of sub-controls, or direct actions you can take to ensure internet safety. For instance, Control 2: “Inventory and Control of Software Assets” breaks down into several sub-controls, including “Sub-Control 2.3: Utilize software Inventory Tools.”
Figuring out which of these sub-controls you’re capable of implementing is the key to keeping your business safe. But assessing your needs and acting upon them can be difficult for any business, regardless of industry or size.
That’s where professional IT help comes in.
Professionalize Your Cybersecurity
Whatever industry you’re in, you need to take cybersecurity seriously. The CIS controls are beneficial for all businesses—big and small, and especially those in healthcare, education, finance, and in every other industry. If your business involves personal data of any kind, you’re a potential target for cybercrime.
Your best bet for protection is professional help you can trust.
Here at RSI Security we can help ensure that you’re getting the most out of all your investment in cybersecurity. From adoption of the CIS controls to HIPAA and other legal compliance, we’ve got you covered. For world-renowned professional cybersecurity contact RSI Security today!