Which industries have seen the highest cyber attacks?

Difficult situations often bring out the best in people. Unfortunately, they can also bring out the worst in people. For example, COVID-19 and its effects created a fertile ground for scammers and ‘cyberattackers’. Here, Luke Watts, Managing Director of RoundWorks IT delves into the industries that were most targeted, why and what it means for the future.


The worst-hit industries

Unsurprisingly, the worst-hit industries of 2020 were the ones that tend to have valuable data. These were:

  • Construction
  • Education
  • Finance
  • Government Agencies
  • Healthcare
  • HR
  • IT and Telecoms
  • Legal
  • Manufacturing

Some of the industries on that list may seem obvious, for example, finance and healthcare. Others, perhaps, might be more surprising, for example, construction and manufacturing. The key point to note, however, is that all of these industries are known for storing confidential data. Bluntly, any data which should be kept secret probably has a commercial value.


Size does and doesn’t matter

Modern cybercriminals are increasingly commercially orientated. They will most certainly attack “hard targets” if the potential reward justifies it. The fact that a whole host of seriously big names have fallen victims to cyberattacks shows that, frankly, bigger does not necessarily mean better cybersecurity.

That said, SMEs are also prime targets for cybercriminals. They may not have the sort of data the big names hold, but they can be easier targets. This means that SMEs have to take cybersecurity every bit as seriously as the big names. Fortunately, it is possible to have excellent cybersecurity, even on a tight budget.


Understanding cyberthreats

The WannaCry attack of 2017 may go down in IT history as the last of the major “spray and pray” attacks. These days, cyberattacks tend to be about discreet infiltration leading to data theft. After the attackers have accessed the data, they may, however, use the threat of exposure as leverage.

In principle, cyberattacks can be launched in a whole variety of ways. In practice, when cybercriminals attack SMEs they tend to do so through known and/or obvious vulnerabilities. Quite bluntly, if they had the resources to launch more sophisticated attacks, they would almost certainly deploy them against more lucrative targets.

This means that SMEs can head off a lot of cyberattacks just by implementing robust basic housekeeping. What this will mean in practice will depend on whether SMEs are using cloud services, local services or a combination of both. 

With cloud services, the vendor takes care of external security. The client only has to take care of security inside the cloud. With local services, the service owner is responsible for everything. In either case, however, there are plenty of IT security companies that can help to keep companies safe.


Is your business fully prepared?

The fact that companies, even SMEs, have really been upping their IT security game has led to cybercriminals adopting new tactics. They are now relying less on technical IT skills and more on social-engineering skills. In other words, modern cybercriminals are adopting the sort of tactics you’d associate with old-fashioned con artists.

You should do everything possible to implement robust policies and systems to protect against this. Part of this should involve training your staff on the threats they may face and what to do about them and even achieving certain accreditations such as Cyber Essentials which is a government scheme and has helped to prevent a large majority of cyber-attacks.

On the other hand and in the event a cyber-attack, businesses do have the right to claim compensation for financial loss, privacy loss and of course emotional distress. The usual route when you’ve been the victim of a cyber-attack is to contact Action Fraud and provide as much information as possible about the attack.

There are of course, further implications such as an attack which impacts customers and their personal data, as this will result in claims from the people who use your services. Seeking legal advice on such events will provide you with the necessary steps to take in order to protect your business, its employees and customers.

You should make a data protection and security policy to outline how your business will process and store the personal data of its employees, and the security measures to be taken when doing so.

Keep in mind, if personal data is a risk here, ensuring this is handled with the upmost care is essential to avoid any on-going issues that may incorporate the laws of GDPR.

Luke Watts