I had a group of friends over for dinner a couple of weeks ago, one of whom is a doctor. She arrived late and apologised, saying that she’d been stuck late at work because the clinic computer system was hacked and her appointment schedule was all messed up.
My doctor friend is a busy person with many other matters on her mind, and it didn’t seem to register with her what a serious issue that hack might turn out to be. But for a cybersecurity guy like me, it was an unsettling revelation.
Our medical professionals have a lot of responsibility weighing on them. For doctors on the front line that can mean making life and death decisions, but the people tasked with administering the medical industry bear a different kind of burden; keeping their patient’s data secure.
The medical industry collects and stores massive amounts of sensitive and valuable information about us, from our personal contact details through to insurance and credit card details. That data makes an irresistible target for cybercriminals, and recent revelations have shown that the security perimeter protecting that data is still vulnerable.
Medical data is the #1 target
Adding to the mounting pressure on the Australian medical industry is the new OAIC (Office of the Australian Information Commissioner) report which finds that the medical industry reported the highest number of data breach incidents in Q4 2018.
The OAIC is the Australian Government agency tasked with managing the NDB (Notifiable Data Breach Scheme), under which companies must report any incident that could potentially expose people’s personal data, including hacking and cybercrime incidents.
The July NDB report shows that of all reported data breach incidents during April - June period “the largest source of reported data breaches was the private health service provider sector…”
(Excerpt from OAIC’s Notifiable Data Breaches Quarterly Statistics Report 1 April – 30 June 2018)
Cybercrime is the biggest data threat
According to the Government’s figures, “malicious or criminal attack” incidents accounted for more than half of all reported breaches, at 59%.
(Excerpt from OAIC’s Notifiable Data Breaches Quarterly Statistics Report 1 April – 30 June 2018)
“Malicious or criminal attacks exploit known vulnerabilities for financial or other gain. Attacks included cyber incidents such as phishing (29%), malware, ransomware, brute-force attack, compromised or stolen credentials and hacking by other means,” the NDB report states.
The large proportion of reported data breaches caused by phishing attacks corresponds with the broader trend we’re seeing in the cybersecurity sphere. There’s a general lack of awareness in the business community about how big email crime like phishing is.
A key finding of the 2018 AusCERT report was that email-based fraud like phishing was the biggest online security threat category. AusCERT found that organised crime is responsible for around 50% of cybersecurity incidents experienced by Australian companies.
“Australian Businesses are targets and are generally underprepared,” AusCERT concluded. “Phishing and email attacks are still the most prevalent form of cyber security incidents affecting respondents... Phishing emails are the most widely used infection vector employed by 71% of all threat actor groups.”
Learn about phishing & protect your business
Human beings are really vulnerable to trickery based on emotional responses and social cues. We aren’t machines. We haven’t got the time to verify the authenticity of every email that lands in our inboxes and criminals take advantage of that, as evidenced by the figures from the OAIC and AusCERT.
Hacking into a company’s data using email techniques like phishing is as simple as sending a cleverly worded fake message to some people who work there. If a cybercriminal can trick just one person into clicking on a malicious link, they can use that person as an access point to the company’s most sensitive data.
Phishing is a growing crime category because cybercriminals understand it’s easier to deceive a person than hack a machine. People are still the gatekeepers of valuable data like bank accounts and credit card details; they’re all protected by passwords, but passwords can be obtained with trickery because they are stored in human brains.
I recently wrote an article describing some of the most common types of phishing attacks and how to spot them. Read it here.
Industry sectors like medical and financial services are being disproportionately targeted, and that reveals a lack of preparedness amongst leaders in those fields.
It’s absolutely vital that business leaders as well as IT people, start to tackle the threat of cybercrime. Simple attack types like phishing can lead to massive data incidents capable of bankrupting a business.
Cybersecurity for business explained
If you would like to learn more about the complex cybersecurity challenges facing business today, please download the e-book Surviving the Rise of Cybercrime by MailGuard CEO Craig McDonald. This plain English handbook explains the most common threats and provides essential guidance on managing risk.
“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal.
Download your copy of Surviving the Rise of Cybercrime for free, here.
Hi, I’m Craig McDonald.
Follow me on social media to keep up with the latest developments in business cybersecurity; I'm active on LinkedIn and Twitter.
I’d really value your input and comments so please join the conversation.
