The Six Industries With The Highest External Data Privacy Risk

The title of this paper is kind of a misnomer.  The fact is every industry is at significant risk of being targeted by hackers and threat actors.  It may be for different reasons and perhaps with different objectives in mind that threat actors determine which organizations to attack.  Popular motivations include financial gain, industrial espionage, political partisanship, religious zealotry, to gain competitive advantage, malicious mischief, or simple nihilism.  

According to Statista, “a 2023 survey among Chief Information Security Officers (CISO) worldwide showed that seven in ten organizations worldwide were at risk of a material cyberattack in the following 12 months. This figure has increased by 20 percent compared to the prior year.”  Ransomware as an attack vector has also been growing in frequency as a preferred method by threat actors.

The 2023 Global Report on Ransomware Trends2 from cyber security software provider Veeam polled 1,200 victim organizations suffering nearly 3000 unique cyberattacks. The report found that 85% of organizations polled had suffered at least one cyberattack in the preceding twelve months. An increase from 76% reporting having experienced a ransomware attack in the prior year. 

Really, any organization that holds any kind of data within protected information systems is a target and at risk of data breach. 

Yet, the trends and statistics reveal, there is a definite preference among hackers and threat actors – regardless of the underlying motivation – for certain industries when it comes to target selection.  This document reveals the six most susceptible industries based on data collected across 2023 and explores why these fields are so attractive to criminals.  In so doing, a pattern emerges highlighting the commonality across all industries and woven through all data breaches and other cyberattacks.  Once revealed and thoroughly understood, it becomes apparent what all organizations must do to protect against becoming the next victim in a daily cavalcade of breaches and attacks.

The Six Industries Most at Risk for Data Breach

Every year, information security leaders look to the Verizon Data Breach Investigations Report1 or “DBIR” for insight into the state of data breach activity in the global business community.  DBIR has become the leading word on cybercrime activity, providing the CISO community with insights needed to field the best defenses possible against data breaches and infosec challenges of all varieties.  The following data, culled from DBIR illustrates the industries at the top of the list for data breaches in 2023. 

Industry #1 – Manufacturing by the 2023 DBIR Numbers

Frequency: 1,817 incidents – 262 with confirmed data exposure

Top Attack Vectors: System Intrusion, Social Engineering and Basic Web App attacks comprise 83% of breaches

Threat Actors:  90% external, 11% internal, 1% partner

Actor Motives: 96% financial, 4% espionage

Data Compromised: 60% PII, 38% credentials, 37% other

DBIR analysis concludes that in 2023, hacking and malware were nearly tied for first place in terms of attack vectors.  Among all motives and top three attack patterns, financially motivated attackers continue to be the most common.

What Makes Manufacturing a Juicy Target for Data Breach?

The manufacturing industry offers a great number of unique aspects threat actors can successfully exploit.  Perhaps more than any other type of industry, manufacturing relies on complex, vertically integrated supply chains.  Building automobiles, electronics, large appliances and so many other products involves the sourcing of hundreds or even thousands of individual components from as many discrete suppliers.  Then, manufacturers bring those materials into production facilities in a highly coordinated fashion to successfully build and deliver their products. 

This highly choreographed supply chain planning and management activity is commonly accomplished using integrated automation software tools.  This requires disparate information systems integrations between a stack of applications such as enterprise resource planning tools, purchasing software, supply chain management & logistics planning/execution platforms on the inbound side of logistics.  Then, post-production, the applications involve order management and fulfillment tools.  With a thousand independent vendors accessing any single manufacturers’ information systems to fulfill, ship, track and bill orders, the exposure to third-party vendor hacks is unbelievably high.

In addition, enterprise manufacturers have been aggressively adopting integrated automation of their production capabilities leveraging the Internet of Things (IoT) and other AI-powered tech tools.  Deploying IoT technology to achieve what manufacturers refer to as “Industry 4.0” automation goals, they expose a whole new attack surface.  This provides ample opportunity for hackers to exploit the integrations between IoT automation systems.

Lastly, manufacturers in general spend huge sums on research, engineering, development, product testing and safety measures to bring their complex products to market.  This means they harbor extremely costly intellectual property which is a tantalizing target for theft by unscrupulous foreign competitors who would rather sidestep the immense cost and efforts associated with developing their own IP.

Hackers love Manufacturing because there are so many possible means for gaining financial reward.  Whether by injecting disruptive malware into the software supply chain, phishing third-party vendors with weaker data security to gain access to priceless industrial secrets or grinding production to a halt using ransomware to extort huge sums in exchange for allowing a desperate, idled manufacturing facility to resume normal operations. 

Overall, manufacturers have probably the most expansive social engineering attack surface of any industry today.  Read more about the social engineering attack surface here. 

Industry #2 – Healthcare by the 2023 DBIR Numbers

Frequency: 525 incidents – 436 with confirmed data exposure

Top Attack Vectors: System Intrusion, Basic Web App attacks comprise 68% of breaches

Threat Actors:  66% external, 35% internal

Actor Motives: 98% financial, 2% espionage, 1% ideological, 1% malicious mischief

Data Compromised: 67% PII, 54% medical, 36% credentials, 17% other

DBIR analysis concludes that in 2023, ransomware actors continue targeting this sector, and are increasingly causing confirmed data breaches in the process. Errors (particularly mis-delivery) are consistently prevalent as well. The insider threat in this industry is higher than others. What Makes the Healthcare Industry Irresistible to Threat Actors?

The healthcare sector has become exceedingly attractive as a target for cybercrime for several reasons.  Not least of which is projected growth of the industry, expected to reach $35 billion by 2028 (according to Marketsandmarkets Healthcare Cyber security Market research published in 2023).  This factor alone makes healthcare a target for ransomware and other attacks relying on unsecured external data to circumvent the significant cyber security processes used by the industry. 

The proliferation of interconnected medical devices and Electronic Health Records (EHRs) has even further heightened the severity of cyber threats within healthcare.  The interconnected infrastructure of healthcare systems, coupled with the high value of medical records in illicit markets, is probably the biggest factor driving attacks on the industry.  Patient medical data is perfect fodder for the generation of highly targeted and super-convincing phishing and other social engineering scams.  For this reason, this particular type of data is prized by hackers and sells at a premium on the Dark web. 

As is the case with most of the top target industries, healthcare – particularly as it involves EHRs as well as insurance billing and coding in the US – relies on a vast network of third-party service providers.  This additional layer of vulnerability underscores the pressing requirement not just for strong external data privacy protection within the healthcare providers’ operations, but also extending to cover their network of third-party vendor/partners.

Industry #3 – Retail & eCommerce by the 2023 DBIR Numbers

Frequency: 406 incidents – 193 with confirmed data exposure

Top Attack Vectors: System Intrusion, Social Engineering and Basic Web App attacks comprise 88% of breaches

Threat Actors:  94% external, 7% internal, 2% partner

Actor Motives: 100% financial, 1% espionage

Data Compromised: 37% payment, 35% credentials, 23% PII,

DBIR analysis concludes that in 2023, “While the same three patterns dominate this industry as many others, Retail has the added bonus of being targeted for its Payment card data in addition to common threats like ransomware and Basic Web Application Attacks.”

What Makes Retail & eCommerce Attractive to Hackers?

Vast amounts of customer data – especially credit card information and all the detailed information needed to make fraudulent purchases using stolen credit cards – is like catnip to hackers.  Some steal such information for their own use, but many more know demand for this stolen information is high on the dark web and can be sold for great profit.  Considering this it comes as no surprise that payment card data was one of the most common data types breached, accounting for 37% of breaches in 2023.

While DBIR data suggests that payment card data theft has been trending downward as a favored target since 2018, 2023 saw a resurgence in activity in this area.  Experts suggest ransomware has revitalized interest in hacking Retailers and payment card data continues to be among the highest value target for hackers.

Industry #4 – Professional and Technical Services by the 2023 DBIR Numbers

Frequency: 1,398 incidents – 423 with confirmed data exposure

Top Attack Vectors: System Intrusion, Basic Web App and Social Engineering attacks comprise 90% of breaches

Threat Actors:  92% external, 9% internal, 2% partner

Actor Motives: 96% financial, 4% espionage,

Data Compromised: 57% PII, 53% credentials, 25% other

DBIR analysis concludes that in 2023, ransomware incidents have experienced a significant year-over-year increase.  “These breaches occur” according to DBIR via “Web applications (55%), Email (25%) and Desktop sharing software (17%). Considering the frequent usage of stolen credentials and email, it might be a good time to remind folks to implement strong authentication practices and…” to keep in mind the importance of staying diligent as regards the securing of external data used to perpetrate so many of these breaches.

Why do Threat Actors Target the Professional and Technical Services Industry?

Professional, business, technical and consumer services include a wide range of service types, including law firms, marketing agencies, consulting services, and others. These types of business organizations routinely work with sensitive data which makes them a prime target for cyber criminals.

Quite often, the people utilizing these services tend to be those in executive and other leadership roles. That means these particular targets more frequently possess credentials likely to unlock high levels of permissions within the breached information systems.  This is one reason threat actors are more attracted to this industry than others. 

Another attraction for cyber criminals is the higher likelihood of valuable intellectual property to be revealed through the process of professional, and especially technical services consulting.  This squares with the data suggesting ransomware attacks are on the rise against these targets.  Any consulting firm would likely rather pay the ransom than to have either their proprietary methodologies or worse, their clients’ business challenges or trade secrets exposed to public scrutiny.

Industry #5 – Energy & Utilities Sector by the 2023 DBIR Numbers

Frequency: 143 incidents – 47 with confirmed data exposure

Top Attack Vectors: System Intrusion, Basic Web App and Miscellaneous Errors comprise 81% of breaches

Threat Actors:  80% external, 20% internal

Actor Motives: 63% financial, 32% espionage, 21% grudge, 15% ideology, 7% malicious mischief

Data Compromised: 50% PII, 24% credentials, 26% other

The number one pattern in 2023 according to DBIR was System Intrusion. DBIR notes in a section detailing the patterns that emerged from this year’s data, “System Intrusion” is made up of more complex, multistep attacks as opposed to the “get in, grab the loot and scram” type of attacks. Since most ransomware attacks fall into System Intrusion, and approximately one out of three breaches (32%) in this industry were ransomware attacks the expansion of this particular kind of breach is serious cause for concern.

Why are Threats Against the Energy & Utilities Industry Escalating?

Energy & Utilities literally power the entirety of all commerce in the US and globally.  No industry of any kind is able to operate if there is an interruption in electricity or disruption in the delivery of petrol fuels.  National security is even highly reliant on the ability of Energy and Utilities to operate without interruption (though governments and militaries often maintain their own energy reserves and production capabilities). 

Hostile foreign governments as well as terrorist organizations are well aware of the strategic importance of energy and utility infrastructure.  Taking power systems off line can deal a crippling blow to defense systems and can grind economic activity to a halt as well.  For this reason, threat actors abroad are routinely probing the perimeters of the US power grid and seeking means by which they could disrupt regular operations of US industry and defensive systems.  Terror organizations understand the destabilizing effect sustained deprivation of energy could have on American society.

Not all threats to Utilities originate from the outside either.  An alarming trend has emerged of attacks on US energy infrastructure attributed to extremist right-wing saboteurs.  Time magazine reports attacks upon US power facilities reached a decade-long high in 2022 with more than 100 reported incidents occurring in the first eight months of that year.  This includes publicly reported attacks or potential attacks on substations and power plants in Florida, North Carolina, Oregon, South Carolina, and Washington. 

Other attacks were not ideologically motivated.  Like the Washington State example wherein two men attempted to knock out power locally so they could commit a bank robbery. 

As cyber criminals target critical infrastructure, the insufficiency of comprehensive cyber security frameworks – in particular, the absence of strategy and process to address unsecured external data privacy – reveals an inability to safeguard against ransomware, data breaches, and state-sponsored attacks.

Industry #6 – Financial & Insurance Industry by the 2023 DBIR Numbers

Frequency: 1,832 incidents – 480 with confirmed data exposure

Top Attack Vectors: System Intrusion, Basic Web App and Miscellaneous Errors comprise 77% of breaches

Threat Actors:  66% external, 34% internal

Actor Motives: 97% financial, 3% espionage, 1% ideology

Data Compromised: 74% PII, 38% credentials, 30% other

DBIR notes that while brute force password cracking is still a popular method for achieving system intrusion, the threat of credential stuffing (using passwords attained from prior data breaches) is a popular strategy.  This underscores the pernicious nature of allowing external data to remain unprotected.  Interestingly, the 2023 DBIR shows ransomware attacks against the financial and insurance sector decreasing as a favorite tactic.  However, ransomware is still a viable threat among others.

What Makes Financial & Insurance Organizations Attractive to Hackers?

At the turn of the Twentieth Century, Willie Sutton was a bank robber on the FBI’s Top 10 Most Wanted list.  After being apprehended multiple times Sutton was asked why he continued to rob banks.  His answer was simply, “Because that’s where the money is.”  We need not overthink what motives lie behind hackers and threat actors targeting financial institutions.  After all, that’s where the money is and the 97% financial motive data point drives this home.

Yet, the financial sector remains a perennial target for cyberattacks and is projected to remain so as AI in banking and real-time payment methods offer new vectors for unauthorized intrusion.  Digitization in all industries makes the threats more acute.  However, finance and insurance are among the most rigorous adopters of digitization technology and so, coupled with being literally, “where the money is” makes for a potent attraction.

Insurance industries by design retain great volumes of highly detailed PII within their databases.  Dealing with automobiles, homes, healthcare, business operations, life/actuarial and many other data rich information, insurers’ databases are a trove of saleable product for hackers.  They’re also full of great information to be used in crafting convincing, contextual social engineering campaigns.

What Patterns and Commonalities Emerge?

One need only review the “top attack vectors” in each segment above to notice one glaring and critically important pattern.  The six industries most at-risk for cyberattack due to unsecured external data and other data privacy hygiene deficiencies all sustained unauthorized data systems intrusions, and almost all involved social engineering.  Unlike brute force attacks on passwords and encryption and other historically popular attacks, those occurring over the last several years have grown tightly focused on finding low effort methods of perpetrating systems intrusion.  Leveraging unsecured external data of an organization’s executives, rank-and-file workforce and even its third-party vendors to power an array of clever social engineering schemes has become the default strategy for hackers.  This is because zetabytes of unsecured external data on nearly every global inhabitant is easily obtainable on the internet.  It is also because few organizations have any significant defensive capability when it comes to mitigating unsecured external employee data.  This despite the billions spent annually on cyber security.

For threat actors today, it is much easier to sidestep the hardened cyber security comprising the contemporary information systems defense.  Instead, they can do a little up-front work to gather the information they need to design and deploy highly specific and targeted social engineering attacks which, as the data show, are growing exceedingly common and effective.  The graphic below was originally published in Privacy Bee article titled, “The Anatomy of Spear Phishing Attacks”.  The same process is also applied routinely to other forms of social engineering hacks like Vishing, Smishing, Email Compromise and many others.

As becomes clear, by the time today’s hackers and threat actors are at the “intrusion attempt” step in the process, they already have in their possession the external data they need to succeed.  At this point, legacy cyber security practices are not equipped to stop them.  The time to intercede and disrupt this process is before hackers’ step one.  Organizations that focus on reducing and removing the preponderance of their workforce’s unsecured and exposed person data are virtually invisible to hackers when they set out to perform the reconnaissance on would-be targets.

Another critical commonality apparent in the profiles above can be found in the data surrounding threat actor types.  Every one of these six industries had a significant internal threat component and five out of six experienced threats originating from third party partners/vendors. If it’s true that most organizations are not actively working to mitigate or manage their unsecured external data, even fewer are taking steps to ensure mitigation of their third-party partners.

As Privacy Bee published in a 2023 white paper titled, The Shortcomings of Third-Party Risk Management and How to Get it Right for Your Organization, “In 2023, according to leading security awareness solutions provider KnowBe4, a staggering 91% of all cyberattacks begin with a spear-phishing email.  Just like the ones directed toward all five of the examples from 2019-2021 recounted above.  Preeminent privacy, data protection and information security policy research center, the Ponemon Institute reports that 53% of companies have experienced a third-party data breach in the past year.  Further reinforcing the notion that CIOs and CISOs are still very much aware of the broad vulnerability of their organizations to this type of third-party attack, Ponemon also reports that 67% of organizations believe they’re vulnerable to insider threats.” 

The six industries highlighted in this paper represent some of the largest, most lucrative industries in the global economy.  It is disquieting to realize the extent to which these behemoth sectors are unaware of the threat of unsecured external data and external data privacy management.  However, as the rate of attacks leveraging unsecured external data has skyrocketed in the last several years, it is fair to say these industries are now awakening to the threat.  As they do, they initiate searches for tools, processes and practices necessary to address this emerging threat. 

Those electing to engage Privacy Bee for Business find the solution to be the most advanced and robust such data privacy management and protection product available.  Reach out today to learn why Privacy Bee for Business is an absolute necessity for your organization – especially if you’re in one of the six industries with the highest data privacy risk.

1 (Read the full 2023 Verizon Data Breach Investigations Report)

2 https://go.veeam.com/wp-ransomware-trends-report-2023