Highly regulated industries are under increasing threat from cybercrime, suggests AJ Thompson, pictured, CCO at the IT firm Northdoor plc.
Organisations in highly regulated sectors are facing daily pressures on all aspects of their businesses. However, the nature of those in financial services, insurance or healthcare means the data they hold is considered particularly valuable by cybercriminals. The threat therefore posed by cybercrime to highly regulated organisations is considerable and rising all of the time.
The level of sophistication of attacks is also increasing. Cybercriminals are finding new ways of gaining access to systems and data, sometimes doing so without the company even realising that they have been compromised. Alongside the sophistication of attacks, the frequency is also increasing.
The international law firm, RPC has found that cyber breaches reported by UK financial services companies more than tripled from 187 between July 2021 and June 2022 to 640 between July 2022 and June 2023. A huge increase highlighting the threat facing such regulated sectors. The UK pension scheme sector saw the biggest increase with reports of breaches going up by 4000 percent.
Equally, US research has shown that cybercriminals are targeting another highly regulated industry, healthcare. The research found that 106 million US citizens were impacted by cyber-attacks undertaken against healthcare organisations in 2023, the equivalent of one in three Americans. This is double the number of individuals affected in 2022. It is not just in the US either. Ransomware attacks hit 81 per cent of UK healthcare providers in 2022 and with 38 per cent of providers paying the ransom it becomes clear why cybercriminals are upping their efforts to target highly regulated sectors.
The challenges
Organisations within highly regulated sectors are by their very nature facing complex challenges which can disrupt their ability to effectively defend themselves from cyber-attacks.
They sit within regulatory landscapes that impact almost every aspect of their business and ensuring adherence to them is an all-encompassing task. This is set against a background of stagnant or decreasing budgets meaning decisions on where to allocate money are also becoming increasingly difficult. This is especially so for smaller organisations with fewer resources.
For organisations that also provide customer/patient-facing services trying to align the regulatory and budgetary restraints whilst ensuring decisions do not impact front-line services is another major challenge. This continuous effort to balance and manage regulatory, budgetary and service pressures can mean that the most immediate demands take priority, rather than future threats. As a result, cybersecurity can often take a back seat in the priority list which can be a dangerous approach for those in highly regulated sectors to take.
Cyber should remain a priority
As we have seen the threat from cybercriminals is growing all of the time and the result of any breach can be disastrous from a financial, regulatory and reputational perspective. Therefore, all highly regulated organisations should be looking to ensure that systems are secure and that any vulnerabilities are closed.
With all that companies have to deal with this may seem a huge and rather daunting task. However, cybersecurity must remain a priority for highly regulated companies. However, although regulations can play an important role in this they cannot be seen as a complete solution.
Too often adherence to regulation can be treated as a tick-box exercise and easily forgotten once compliance has been achieved, especially when so many other challenges are having to be dealt with. The nature of the continuously evolving threat from cybercriminals means that this is not an effective way of defending systems. Adherence to regulation should be seen as a starting point, rather than the endpoint and has to be approached with a proactive mindset.
Regulatory authorities starting to help
To try and encourage highly regulated companies to ensure that cybersecurity is an ongoing and integral part of the business regulatory bodies have started to introduce various steps. The US Department of Health and Human Services (HHS) has added cybersecurity goals that are designed to help healthcare organisations prioritise the implementation of high-impact cybersecurity practices. Split between Essential and Enhanced goals the HHS is providing healthcare organisations in the US a plan to ensure cybersecurity remains a priority and is implemented throughout organisations.
Equally, in the financial services sector in Europe, the DORA regulation has been introduced to ensure that companies in that sector are robust in the face of a cyberattack or other IT incident. DORA will apply from January 2025 and looks like it will be robustly policed. This means that financial services companies will have to prove that they can continue to with day-to-day business even if a cyber-attack occurs or they lose access to their IT systems for other reasons.
IT consultancies can help
With the threat from cybercriminals increasing, budgetary pressures on companies in highly regulated organisations ramping up and regulatory bodies implementing new steps to ensure IT systems are robust, it is understandable that for some, especially smaller companies with fewer resources, keeping cybercriminals out is a hugely daunting task.
Some are turning to consultancies that can help internal teams monitor and understand the nature of the new threats. They can close vulnerabilities in front-line defences, but also importantly, monitor potential vulnerabilities in the systems of supply chain partners, which can often offer cybercriminals an easy route in. The experts in IT consultancies are also well placed to ensure adherence to regulation whilst also ensuring that cybersecurity is an ongoing and well-maintained part of the IT function.
The result of being breached is more serious than ever. Highly regulated industries are being actively targeted by cybercriminals so cyber defences cannot be lost under a pile of other day-to-day pressures. Turning to IT consultancies can take some pressure off internal teams, whilst ensuring there is the best possible chance of keeping the cybercriminal out.
