Cybersecurity is a critical concern for organizations worldwide. In 2022, we saw an unprecedented increase in the number and severity of cyber attacks. With more people working remotely, organizations have become more vulnerable to attacks. Cybercriminals continue to target businesses across all industries, using various tactics to breach networks and access personal data.

This article will delve into the most significant cybersecurity statistics of 2022, including the key numbers, data breaches with the most substantial impact, vulnerable industries, types of attacks, prevention actions, and the cost of cybercrime. Understanding these statistics is mandatory for businesses to develop effective security strategies and protect their data from malicious actors.

Key numbers of 2022 

1. A staggering 82% of all breaches involved the “human element” using stolen credentials, phishing, human error, and misuse. (Verizon)

2. Data compromises, such as data breaches, exposure, and leakage, impacted over 422 million people. (ITRC)

3. Supply chain attacks accounted for 19% of all cyber security incidents. (IBM)

4. In Q4 of 2022, the number of cyberattacks worldwide reached an unparalleled level, with each organization experiencing an average of 1168 attacks per week. (Checkpoint)

5. Servers were involved in 84% of all cyber security incidents, with web application servers and mail servers accounting for 56% and 28% of these incidents, respectively. (Verizon)

6. Nearly half of all cyber security incidents (47%) pertained to personally identifiable information (PII), while another 46% involved authentication credentials. Payment card data was affected in only 7% of the incidents. (Verizon)

7. Cyberattacks surged in the USA, with a staggering 57% increase. Latin America experienced a 29% increase, while Europe and Singapore both saw a 26% increase. Meanwhile, the UK encountered a shocking 77% spike in cyberattacks. (Checkpoint)

8. 83% of organizations experienced more than one data breach. (IBM)

9. There was a 38% increase in global cyberattacks compared to the previous year. (Checkpoint)

10. Almost 1 billion emails were exposed, affecting one in five internet users. (AAG)

The top 10 most significant data breaches of 2022

We present the most impactful data breaches of the last year.

10. The Axie Infinity’s crypto theft

Axie Infinity is an online video game that uses Ethereum-based cryptocurrencies and NFTs. As the games services heavily rely on blockchain service Ronin, cyber criminals managed to infiltrate the system. They were able to take control of the network and send 173,600 ethers worth about $600 million and withdraw $25.5 million worth of coin. This has now become one of the largest thefts in the history of cryptocurrencies and online gaming.

9. Cash App data breach

In April, a disgruntled former employee of Cash App, a payment company, took it upon himself to breach the company’s system. The hacker managed to access sensitive reports, including the names, portfolio values, and brokerage account numbers of more than 8 million clients, which they then stole.

8. Costa Rica’s government ransomware attack

The Costa Rican government suffered a major cyberattack when the Conti ransomware gang successfully breached their systems. The group gained access to highly valuable data, which they stole and then demanded a hefty ransom of $20 million.

This forced the Central American government to declare a state of emergency. Shockingly, weeks after the attack, 670 GB of data, representing 90% of the information that had been accessed, was posted to a leak site by the threat group.

7. Neopets data breach

Last July, a database with account details of 69 million Neopets game users was found for sale on an internet forum. The data included names, email addresses, zip codes, genders, and birth dates. An inquiry found that cyber attackers had infiltrated the Neopets IT systems and had unauthorized access to it for a prolonged period, from January 3, 2021, to July 19, 2022, spanning over 18 months.

6. Revolut data breach

In September 2022, a data breach occurred at fintech start-up Revolut, resulting in personal information of more than 50,000 users being accessed by a third-party. The breached data included names, addresses, and partial payment card information. However, Revolut assured that the card details were masked. The Lithuanian government commended Revolut for taking immediate action to eliminate the attacker’s access to the data once the breach was detected.

5. Shein data breach

In October, Shein and Romwe’s parent company Zoetop Business was fined $1.9 million by the state of New York for not disclosing a data breach that impacted 39 million customers. The breach occurred in July 2018 when a malicious third party accessed Shein’s payment systems. Shein was informed by their payment processor that their system had been infiltrated and customer card data had been stolen. The discovery was made after the credit card net
work found Shein customers’ payment details for sale on the dark web.

4. Hacker allegedly hits both Uber & Rockstar

Between September 15-19, a hacker allegedly targeted both Uber and Rockstar. In the Uber breach, the hacker accessed the company’s internal servers using malware installed on a contractor’s device. They then posted a message to a company-wide Slack channel and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.

In the same timeframe, the Rockstar Games’ developer suffered a network intrusion, leading an unauthorized third party to illegally access and download confidential information, including gameplay footage of the unreleased Grand Theft Auto 6 game. The hacker claimed they obtained the footage by hacking into a Slack channel used for communication about the game.

3. Medibank data leak

Australian healthcare and insurance provider Medibank detected “unusual activity” on its internal systems on October 13. By November 7, Medibank announced that a hacker had stolen the confidential data of 9.7 million past and present customers, including personally identifying information and medical procedure codes. Despite the hacker’s demands for ransom, Medibank refused to pay.

On November 9, the hacker released files containing customer data labeled “good-list” and “naughty-list,” with the latter reportedly including sensitive information on those who sought medical treatment for HIV, drug addiction or alcohol abuse, and mental health issues like eating disorders. The hacker posted a file labeled “abortions” containing information on claimed procedures to a site backed by the Russian ransomware group REvil on November 10.

2. BidenCash data breach

On October 12, carding marketplace BidenCash made public the details of 1.2 million credit cards expiring between 2023 and 2026. The leaked information, which included other necessary details for making online transactions, was posted on the dark web site for free.

BidenCash had leaked the details of a few thousand credit cards in June, likely as a promotional stunt, and as the site had launched new URLs in September due to a series of DDoS attacks, some experts speculated that this new release could be another attempt at advertising.

1. Twitter data breach

Twitter faced accusations of attempting to cover up a major data breach that compromised the personal information of millions of users. In July, a hacker who went by the name ‘devil’ claimed to have the data of 5.4 million Twitter accounts for sale on BreachForums, including email addresses and phone numbers belonging to celebrities, companies, and regular users.

The stolen data also included information from “OGs,” which are highly desirable Twitter handles consisting of one or two letters or a word with no misspelling, numbers, or punctuation. The hacker demanded a minimum of $30,000 for the database. The data breach, resulting from a vulnerability in Twitter’s system that was discovered in January, caused significant concern among the public and further highlighted the ongoing need for strong cybersecurity measures.

Most targeted industries in 2022

As we embark on a new year, the cyber threat landscape is continuously evolving, making it more challenging for organizations to keep up with the pace of these attacks. From ransomware to phishing scams, no industry is immune to cyber threats.

This list highlights the top 10 most targeted industries in 2022, based on the IBM X-Force 2022 Threat Intelligence Index report. And hopefully, a better understanding of the threat landscape in different industries can help organizations adopt robust cybersecurity strategies to safeguard their systems, data, and customers against cybercriminals.

Media & telecommunications – 0.5%

Last year, media and telecommunications industries remained relatively unscathed, with a mere 0.5% of incidents reported. However, it is worth noting that external remote services such as VPNs and valid domain accounts were often exploited to gain unauthorized access, resulting in ransomware attacks.

The consequences of these attacks were severe, ranging from data theft, leaks, and destruction to extortion, and involved the deployment of data exfiltration tools and ransomware. Despite their low incidence rate, the potential impact of cyber threats on media and telecom companies cannot be underestimated.

Transportation – 3.9%

Transportation dropped from seventh to ninth place in the 2022 X-Force report, but the industry remained a frequent target, accounting for 3.9% of incidents. Phishing was the primary method of initial access, with links, attachments, and spear phishing equally represented. Valid local accounts were also exploited in 33% of cases, while valid cloud accounts were used in 17%.

The top objectives were server access and deployment of remote access tools, followed by spam campaigns, ransomware, backdoors, and defacement. Data theft was the most common outcome, occurring in half of all cases, with extortion and brand reputation damage also common. European transportation entities were the hardest hit, accounting for 62% of cases, with Asia-Pacific in second place at just over 37%.

Government – 4.8%

Government entities were one of the prime targets of cyberattacks in 2022, with backdoors and DDoS attacks accounting for 25% of cases each. Public sector networks contain a wealth of sensitive information, making them a popular objective for cyber espionage campaigns aimed at stealing PII and other data. Malicious Office documents were found in 17% of cases, while the remaining 83% involved cryptominers, credential acquisition tools, ransomware, and web shells.

X-Force attributed incidents in this sector to cybercriminals, insider threats, hacktivists, and state-sponsored groups conducting espionage, each accounting for an equal share. Infection vectors were primarily public-facing applications and spear phishing attachments, with valid default accounts exploited in 20% of cases. Asia-Pacific governments were hit the hardest, with 50% of cases, followed by Europe at 30% and North America at 20%.

Healthcare – 5.8%

Still being the top object of international cyberattacks, the healthcare industry experienced a decline from sixth place in 2021. X-Force responded to approximately 5%-6% of healthcare cases in the last three years. Backdoor attacks and web shells were prevalent, accounting for 27% and 18% of cases, respectively.

Adware, BEC, cryptominers, loaders, reconnaissance and scanning tools, and remote access tools made up 9% of cases each. Most of the observed impacts were from reconnaissance at 50%, while data theft and digital currency mining each accounted for 25% of cases. European-based healthcare entities were targeted the most, comprising 58% of incidents, with the remaining 42% in North America.

Education – 7.3%

Backdoor attacks in the education sector comprised 20% of incidents
X-Force responded to. Ransomware, adware, and spam each accounted for 13% of incidents. Exploitation of public-facing applications was the most common initial access vector at 42%, followed by spear phishing attachments at 25%. Asia-Pacific was the region with the highest number of cases at 67%, followed by North America at 27%, and Latin America at 6%.

Retail and wholesale – 8.7%

The retail and wholesale industry maintained its position as the fifth-most targeted industry, as per the X-Force report for 2022. Spear phishing emails with malicious links were the most common initial access vector at 33%. Ransomware, backdoors and BEC were the most common attack types, each accounting for 19% of incidents.

Victims experienced extortion in half of the cases, while credential harvesting and financial loss were observed in 25% of cases each. North America and Latin America had the highest number of cases at 39% each, while Europe accounted for 22% of incidents.

Energy – 10.7%

The energy sector, encompassing electric utilities and oil and gas companies, was the fourth-most targeted industry with 10.7% of attacks. Attackers commonly gained initial access through the exploitation of public-facing applications (40%), spear phishing links (20%), or external remote services (20%). Botnets were the top method of attack in 19% of cases, followed by ransomware and BEC at 15% each.

North American organizations were the most targeted at 46%. Incidents involved data theft and extortion in 23% of cases, while credential harvesting and botnet infections were observed in 15% of cases each. The energy sector faces pressure from various global factors, particularly those exacerbated by Russia’s aggression in Ukraine and its impact on the already unstable global energy trade.

Professional, business & consumer services – 14.6%

The professional services industry, including consultancies and law firms, was the target of 52% of cyber attacks in this category. Business services, such as IT and advertising, accounted for 37% of attacks, while consumer services made up 11%.

Ransomware and backdoor attacks were the most frequent types of attacks, with public-facing applications and remote services being the top infection vectors. Extortion was the most common attack type.

Finance & insurance – 18.9%

Last year the finance and insurance organizations were the target of 18.9% of cyber attacks, earning it second place in this list. Despite a slight decrease in attacks over the past few years, finance and insurance organizations remain prime targets due to their advanced digital transformation and cloud adoption progress.

Backdoor attacks were the most common objective at 29%, followed by ransomware and maldocs at 11% each. Spear phishing attachments were the top infection vector, responsible for 53% of attacks. Europe experienced the highest volume of attacks at 33%, followed by Asia-Pacific at 31%. Latin America, North America, and the Middle East and Africa experienced approximately 15%, 10%, and 10% of incidents, respectively.

Manufacturing – 24.8%

The manufacturing industry was the most targeted in 2022, with backdoors being deployed in 28% of incidents and spear phishing and public-facing applications being the top infection vectors at 28% each. External remote services accounted for 14% of incidents, while spear phishing links and valid default accounts were tied for third place at 10%.

Extortion was the top impact on manufacturing organizations, followed by data theft and leaks. The Asia-Pacific region had the most incidents at approximately 61% of cases, while Europe and North America tied for second place at 14%. Latin America accounted for 8% of incidents, and the Middle East and Africa had 4%.

Most common cyber attacks in 2022

With the increasing use of technology in our daily lives, cybercriminals are finding new ways to exploit vulnerabilities in web applications, cloud services, Internet of Things (IoT) devices, and human behavior.

We present to you the top 10 list of cyber attacks with the hope that you can take steps to protect yourself and your data from potential cyber threats in the future.

10. SQL injection & Cross-site Scripting (XSS)

SQL injection and Cross-site Scripting (XSS) are common types of cyber attacks in 2022 that exploit vulnerabilities in web applications. SQL injection attacks can be used to insert malicious code into an SQL database, potentially giving attackers access to sensitive information or control over the entire system. Use parameterized queries to prevent SQL injection attacks and keep your software up-to-date.

XSS attacks use third-party online resources to insert malicious scripts into legitimate websites or applications to obtain user information. Attackers commonly use JavaScript, Microsoft VBScript, ActiveX, or Adobe Flash for XSS attacks. Web apps are often vulnerable to XSS attacks when they receive user input without validating or encoding it in their output.

9. Cloud jacking

Cloud jacking, also known as cloud hijacking, targets data stored in external cloud services such as Salesforce or Microsoft Azure. Hackers exploit poorly secured loopholes to steal data since modern enterprises increasingly use cloud-based services. Since most users do not store many files locally, cyber criminals find targeting the centers housing the data more worthwhile. Common methods include exploiting cloud provider management software vulnerabilities or cracking default security configurations.

8. Internet of Things (IoT) attacks

An IoT attack targets Internet of Things devices or networks, allowing hackers to take control of devices, steal data, or join a network of infected devices to execute DoS or DDoS attacks. The IoT encompasses a wide range of internet-connected devices, from smartphones to smart home appliances, making them vulnerable to cyberattacks.

Attackers can exploit IoT devices to launch attacks on other devices, causing significant damage that can be challenging to detect. There was a noticeable increase of IoT attacks last year.

7. Insider threats

Insider threats refer to the risks associated with an organization’s own staff. These threats can come from rogue employees with malicious intent or from employees who are simply negligent. In some cases, hackers can bribe insiders to help them gain access to sensitive information. However, the line between insider threat and whistleblower can sometimes be blurry.

Unlike social engineering, where attackers pretend to have legitimate access, insiders actually have legitimate access but use it for malicious purposes. Organizations must have policies and procedures to detect and prevent insider threats. It’s also reported that insider threats have risen 44% over the past two years.

6. Man-in-the-Middle attack

Man-in-the-middle attacks aim to steal sensitive information by intercepting and manipulating messages between two parties who believe they are communicating directly and securely. While most communication channels use some encryption to make such snooping attempts more difficult, expired SSL certificates on various websites and the use of freemium VPNs, proxies, or public wifi can create open gaps that attackers can exploit.

Attackers can read, modify, or even delete data during such attacks,
which can be challenging to detect. To protect against man-in-the-middle attacks, it is essential to use encryption whenever possible, be mindful of which websites and emails you access, and avoid using public networks. Estimates show that 35% of exploits involve man-in-the-middle attacks.

5. Dictionary, brute-force & password spray attacks

Cyber attackers use various methods to break into password-protected systems, including dictionary attacks, brute-force attacks, and password spray attacks. A dictionary attack involves systematically entering every word in a dictionary as a password or key to decrypt an encrypted message. On the other hand, a brute-force attack involves automated trial and error by spraying all possible character combinations and lengths into a password field until a match is found. More than 80 percent of breaches involve brute-force or the use of lost or stolen credentials.

Meanwhile, password spray attacks, involve hackers trying many common passwords against many different accounts using automated software. To protect yourself, use strong and unique passwords, enable two-factor authentication if available, and avoid using common words or phrases that can be easily guessed.

4. Social engineering

Social engineering is a cyber attack that exploits human vulnerability rather than system weaknesses. It involves tricking individuals into revealing sensitive information through deception. Threat actors may even impersonate someone else to gain physical or remote access to a target system.

Unfortunately, these attacks are still prevalent in 2022, as approximately one-third of data breaches occur due to social engineering. It is important to remain vigilant and cautious of unsolicited communication, verify identities, and practice proper security protocols to avoid falling victim to these attacks.

3. Malware, ransomware & spyware

Malware is a type of malicious code designed to carry out specific tasks that hackers want, including taking over, using as a gateway, stealing data, or disabling the target’s machine. In 2021, the average organization faced 1,748 attempts to be infected with malware. The same trend held true last year, with malware attacks being one of the most popular cyberattack types.

Meanwhile, ransomware is a more specific form of malware that infects a machine’s storage and encrypts stored data, demanding payment for decryption. These attacks can be highly profitable for hackers, as organizations often pay the ransom with no guarantee of a successful outcome.

Keyloggers are a type of spyware that captures every keystroke made on a device, allowing malicious actors to access sensitive information such as passwords and credit card numbers. Keylogger spyware is typically installed on a user’s device by clicking on a malicious link or attachment. Protect yourself from keyloggers by using strong and unique passwords for all accounts, as well as enabling two-factor authentication where possible.

2. DoS and DDoS

DoS and DDoS attacks flood servers or routers with requests, making it impossible for legitimate users to access a website or service. Attackers may use botnets or darknet marketplaces to orchestrate large-scale attacks. Defend against these attacks by having a robust firewall and keeping software up-to-date. These attacks are difficult to defend against, so be vigilant and prepared. According to reports, DDoS attacks grew 150% compared to the year before.

1. Phishing & vishing

Phishing, the list’s leader, tricks users into revealing sensitive information by posing as a legitimate institution. Attackers often use genuine-looking emails that redirect victims to fake websites where they input their actual credentials. Once attackers have the user’s information, they can take over their account, blackmail them, or sell the data on dark web marketplaces.

Vishing, a combination of voice and phishing, tricks victims into revealing confidential information through social engineering tactics. Protect yourself by being suspicious of emails asking you to click on links or download attachments. If in doubt, contact the company directly to verify the email’s legitimacy. Phishing attacks amount to more than 255 million attacks, a 61% increase in the rate of phishing attacks compared to 2021.

The top 10 must-take actions to protect your organization from cyberattacks

With the increasing sophistication of cybercriminals, it’s crucial to take proactive steps to safeguard your organization’s sensitive data and protect it in all ways possible.

Here we’ll explore the top 10 must-take actions to secure your business from cyber incidents. Implementing these measures can significantly reduce the risk of potential financial and reputational damage.

10. Backup your data regularly

Regularly backing up your data is crucial for protecting your organization against cyber attacks. In the event of a ransomware attack, having backup servers allows you to restore your data without having to pay a ransom.

However, ensuring that your backups are secure and protected from cyber threats is essential. Negligently leaving data backups unprotected in public cloud services can leave them vulnerable to cyber criminals. Organizations can recover quickly from a cyber attack using data backups and maintain business continuity.

9. Have a response plan in place

Even with all the necessary precautions, it’s impossible to guarantee that a cyber attack won’t happen. That’s why having a well-designed response & risk management plan is crucial to minimize the damage caused by a cyber attack. A comprehensive response plan should include:

• Clear steps for containing the attack.

• Notifying stakeholders.

• Restoring operations as quickly as possible.

It’s important to regularly review and update the plan to ensure it remains effective and relevant to your organization’s evolving risks and operational needs. The impact of a breach can be minimized by having a response plan in place. Quickly and effectively responding to a cyber attack can get your organization back to normal operations.

8. Conduct regular security audits

Regular security audits are a crucial step in protecting organizations from cyberattacks. These audits can help identify vulnerabilities in systems and processes, allowing organizations to address them before hackers can exploit them.

Hiring an external audit firm or cybersecurity consultant agency can provide valuable insights into potential weak points in a network. By actively seeking out and addressing these vulnerabilities, organizations can save themselves the cost and headache of dealing with a successful hacking attempt in the future.

7. Engage in active threat monitoring

Active threat monitoring is critical in protecting an organization from cyber attacks. Network monitoring tools can be used to detect unusual ac
tivity that could signal an ongoing attack.

By monitoring network activity, organizations can quickly detect and respond to security incidents, including suspicious activity, using intrusion detection systems to alert the security team to potential threats.

6. Control access to your network & resources

Controlling access to your network and resources is essential for protecting your organization from cyberattacks. With the rise of remote work and temporary employees, enforcing security policies for every worker or device is difficult, increasing the risk of malware infections and insider threats.

IP allowlisting can help mitigate these risks by limiting access to only the resources required to complete their work. Organizations should also limit access to sensitive data to only those employees who need it, reducing the risk of unauthorized access and data breaches. Organizations can better protect their network and data from potential security incidents by controlling access.

5. Encrypt your data

Encrypting your organization’s data, especially user passwords, is critical in preventing cyber attacks. Hashing and salting are effective methods of encryption that scramble passwords into unintelligible characters and add additional elements before hashing, making them impossible to reverse-engineer.

Unfortunately, many significant data breaches occur because encryption was not implemented. As a business manager, prioritize data encryption to enhance the security of your user data. By adopting encryption, you can significantly reduce the likelihood of a data breach and protect your organization’s sensitive data.

4. Keep software updated

It’s crucial for organizations to keep their software up-to-date. Outdated software is an easy target for hackers always looking for vulnerabilities to exploit. This is especially true for large organizations, as their large pool of users may postpone updates. Therefore, it’s recommended to have forced updates to ensure that all machines are updated with the latest patches.

Additionally, it’s important to have antivirus and anti-malware software installed, kept up-to-date, and run regular scans to detect and remove any malicious software that could harm the system.

3. Secure your network & hardware

Securing your network and hardware is crucial in protecting your organization from cyberattacks. Hackers often exploit unpatched loopholes and other vulnerabilities to gain access to your system. To minimize the attack surface, take all possible steps to secure every endpoint device.

One effective measure is enforcing the use of a virtual private network (VPN) when accessing sensitive company documents to secure the exchanged data and prevent unauthorized access. Additionally, services such as NordLayer can provide a safety net to further enhance your network and data security. By securing your network and hardware, you can significantly reduce the risk of a cyberattack and protect your organization’s sensitive information.

2. Enforce strong passwords and multi-factor authentication

Using weak passwords, such as ‘Tom1234,’ can make user accounts vulnerable to cyber attacks. To prevent this, organizations should implement password complexity requirements and provide guidance on using password phrases, which are secure and memorable.

Also, multi-factor authentication (MFA) systems should be used, which require multiple factors to verify a user’s identity. MFA provides reliable assurance of an authorized user’s identity, reducing the risk of unauthorized access and providing better data protection than passwords alone.

1. Regularly train your workforce on cybersecurity awareness

Regularly training your workforce on cybersecurity awareness is one of the most critical steps to protect your organization from cyberattacks. Employees, especially those working remotely, are often the weakest link and can unintentionally introduce security vulnerabilities.

Organizations can reduce their risk of a cyber attack by educating employees on best practices such as using strong passwords, identifying phishing emails, and reporting suspicious activity. A well-trained employee will be able to identify different types of cyber threats and distinguish them from genuine ones, as most cyber attacks follow common patterns. It’s essential to provide ongoing training that reflects your enterprise’s risks and proper responses to future attacks since cyberattacks are evolving daily.

The cost of cybercrime & security incidents

The cost of cybercrime in 2022 is at an all-time high. Companies are facing an average cost of $4.35 million due to data breaches alone, with 60% of these breaches resulting in increased prices passed on to customers. In the UK, businesses have had to bear an average cost of £4200, while nearly 1 in 10 US organizations remain uninsured against cyber attacks.

These numbers are just the tip of the iceberg, indicating that constant vigilance and strong security measures are necessary to protect sensitive data and minimize the financial risks that come with cybercrime.

In this part, we delve into the cost of cybercrime in 2022 and examine the key findings that underscore the importance of organizations taking proactive steps to guard against potential cyber threats.

5. $4.35 million – average total cost of a data
breach

In 2022, the average data breach cost hit an unprecedented peak of $4.35 million, surging by 2.6% from the previous year’s average cost of $4.24 million. This year-on-year increase has been consistent, with the average cost rising by a staggering 12.7% from $3.86 million as reported in 2020. These statistics demonstrate the relentless nature of cyber attacks, highlighting the need for constant vigilance and robust security measures to counter these threats.

4. $4.82 million – average cost of a critical infrastructure data breach

When analyzing critical infrastructure organizations, such as those operating in financial services, industrial, technology, energy, transportation, communication, healthcare, education, and public sector industries, the average cost of a data breach was notably higher at $4.82 million. This cost was $1 million more than the average cost of data breaches in other industries.

Shockingly, 28% of critical infrastructure organizations studied had been subjected to destructive or ransomware attacks, whereas 17% had encountered a breach due to their business partners’ security compromise. These findings underscore the importance of strengthening cyber security strategies for critical infrastructure organizations and their third-party partners to safeguard against potential cyber threats.

3. $4.54 million – average cost of a ransomware attack

Ransomware attacks accounted for 11% of all breaches, marking a 41% increase from the previous year’s figures of 7.8%. Despite this surge, the average cost of a ransomware attack experienced a slight decrease, from $4.62 million in 2021 to $4.54 million in 2022. However, this cost was still marginally higher than the average total data breach cost, which stood at $4.35 million.

These findings highlight the continued threat of ransomware attacks and the necessity for organizations to implement robust preventive measures to mitigate the associated risks.

2. $1 million – average difference in cost where remote work was a factor

Security breaches caused by remote work resulted in significantly higher costs compared to those without remote work involvement. On average, the costs associated with remote work-related breaches were nearly $1 million higher, with a reported cost of $4.99 million, as opposed to $4.02 million for breaches unrelated to remote work.

This difference amounts to remote work-related breaches costing approximately $600,000 more than the global average cost. These figures underscore the financial risks and consequences associated with remote work and the importance of implementing strong security measures to safeguard sensitive data when remote work is necessary.

1. $9.44 million – average cost of a breach in the United States

The top five countries and regions that experienced the highest average cost of a data breach were the United States, with a staggering $9.44 million, followed by the Middle East at $7.46 million, Canada at $5.64 million, the United Kingdom at $5.05 million, and Germany at $4.85 million. Notably, the United States has held the top position for 12 consecutive years.

Additionally, the country with the highest growth rate from the previous year was Brazil, with a significant increase of 27.8% from $1.08 million to $1.38 million. These findings reveal the persistence and costly nature of cyber attacks, irrespective of location, emphasizing the importance of maintaining robust cyber security measures to prevent such incidents.

To sum up 2022

As we close out 2022, it’s clear that cyber security continues to be a top concern for businesses of all sizes and industries. The year saw unprecedented levels of attacks, with organizations worldwide experiencing an average of 1168 attacks per week in Q4 alone.

Unsurprisingly, the human element was involved in a staggering 82% of all breaches, with phishing and stolen credentials continuing to be a significant concern. Despite the increase in attacks, however, many businesses still don’t have adequate security measures, and the cost of cybercrime continues to rise.

To protect their data and assets in 2023, organizations must prioritize implementing effective security strategies, risk management plans and staying up-to-date on the latest threats and prevention techniques.

If your organization needs top-notch cybersecurity solutions, NordLayer provides flexible and easy-to-implement tools for all businesses. Get in touch with our specialists today for more information.

PCI-DSS is the set of security standards that seeks to extend consistent data protection practices across the credit processing industry. Any organization handling credit card data must comply with PCI-DSS regulations.

PCI-DSS compliance places a major burden on businesses, especially small and medium-sized enterprises. But companies can reduce the cost of compliance by intelligently scoping their credit processing environment.

Segmentation allows IT teams to apply network segmentation to protect credit card data while reducing the need to secure less critical system components.

This blog will introduce network segmentation in PCI-DSS. We will look at how segmentation works and how it contributes to robust financial sector cybersecurity strategies.

What is network segmentation?

Network segmentation separates network resources to control access and enhance security. In the context of PCI-DSS, network segmentation divides the cardholder data environment (CDE) from other system components.

Separating the cardholder data environment from other resources allows businesses to secure cardholder data. This is a major challenge of cybersecurity in finance. With proper segmentation, hackers will struggle to move from off-scope endpoints and apps to the CDE. Data breaches are much less likely.

Segmentation is not a PCI-DSS requirement. It complements other compliance tools such as encryption, access management, and firewall protection. If you have any doubts about core requirements, check out our PCI-DSS compliance checklist for more information.

However, the PCI Security Standards Council (SSC) has issued guidance advising companies to employ segmentation if possible.

As the SSC says, “Effective segmentation can greatly reduce the risk of CDE systems being impacted by security weaknesses or compromises originating from out-of-scope systems.” But it is not a magic bullet. Segmentation must work with other technologies and controls to achieve PCI-DSS compliance.

Understanding PCI DSS network segmentation scope

When discussing network segmentation for PCI-DSS, it’s important to assess the “scope” of controls required.

Scope refers to the extent of protection required to achieve compliance. Establishing PCI-DSS scope is a critical priority before applying segmentation.

Proper scoping provides security teams with the visibility and knowledge needed to locate and defend critical data. Scoping allows you to segment cardholder data from other parts of the network, boosting security and cutting costs.

There are three main categories to think about when carrying out a PCI-DSS assessment.

In-scope assets

Network resources that make direct contact with cardholder information. This includes payment systems, points of sale, credit card databases, communication tools, and even CRM systems. If an app or device holds credit card data, it is “in scope.”

Connected-to assets

These systems connect to in-scope assets but do not hold card data themselves. They may not require segmentation but must be tightly secured as part of the CDE.

Out-of-scope assets

Anything without access to the cardholder data environment is defined as “out of scope” and does not require the same level of protection.

The PCI-DSS regulations state that “even if the out-of-scope system component was compromised, it could not impact the security of the CDE.” This is a good way of approaching the scoping task.

If system components provide attackers with indirect access to cardholder data, it qualifies as in-scope. If not, you can relegate it to a lower priority level and concentrate resources where they matter most.

“Flat” networks where system components are connected to a single network switch are an important exception. In these cases, the entire network is categorized as in-scope.

In flat network settings, there is no such thing as an out-of-scope system. If an attacker gains access to any node on the network, they can potentially spread to systems handling credit data.

Why scoping matters to network segmentation

PCI-DSS scoping is a crucial first step in the segmentation process. You cannot create segments protecting cardholder data unless you know where that data resides.

Scoping maps data locations and flows. Compliance teams build a picture of how credit card data moves throughout the network, where it is stored, and who requires access. This provides a solid foundation for creating accurate and effective network segments.

Scoping also ensures that the segmentation process covers every asset. Security teams can start from the assumption that everything is in scope. They can then eliminate out-of-scope assets from the CDE and apply precise segmentation for cardholder data.

How to implement network segmentation for PCI DSS?

When carrying out a PCI-DSS assessment, it’s essential to keep one thing in mind: segmentation is not a substitute for comprehensive cybersecurity controls and policies. Network segmentation is part of a wider toolkit, not a solution to your compliance worries.

Having said that, PCI-DSS best practices advise that companies segment the cardholder data environment from other network systems. So how should you approach this task?

Network segmentation applies specific security controls to create sub-networks containing critical cardholder data. There are various ways of achieving this, including:

Firewall barriers between the rest of the network and cardholder data

Firewalls regulate network traffic across the CDE perimeter, preventing unauthorized access requests.

Data loss prevention (DLP) solutions

DLP tracks the movement of critical data, and works in tandem with firewall protection. Users cannot move or copy protected data without authorization. Security controls automatically block any unauthorized transfers.

Physical access controls for in-scope devices

Some workplaces may impose physical identity checks between CDE-connected devices and other offices or workstations.

Air gaps

Physical air gaps can also divide cardholder data from other network assets. Companies may choose to use two separate systems for payment processing and general operations.

Identity and access management (IAM) systems and multi-factor authentication (MFA)

Authentication systems require multiple credentials for any login. Secure network zones can require extra credentials before granting access.

Zero Trust controls on user privileges

Network managers should keep the number of users with administrative privileges as low as possible. Cardholder data environment access should only be available for users with appropriate permissions. All user access is seen as illegitimate until proven otherwise.

Continuous activity monitoring

Security teams can automate monitoring to track suspicious behavior. Tracking systems raise alerts when out-of-scope assets request access to a network segment within the CDE.

When you decide how to apply segmentation, the core challenge is determining which assets are in-scope and what lies out-of-scope.

Security teams must interview employees throughout the organization to understand how they use data. Employees can provide invaluable information about where cardholder data resides – knowledge that may not be immediately obvious.

The next step in PCI-DSS compliance is ensuring that network segmentation covers every part of the CDE. Elements to consider include:

• Applications handling cardholder data. This could cover web apps and locally hosted databases.

• Authentication servers and internal firewalls that connect with or defend the CDE. Protecting sensitive authentication data is a critical priority.

• Security services that ensure data security and guard cardholder data. This includes intrusion detection systems, malware scanners, and anti-virus tools.

• Log storage servers and backups. Any audit logs must be properly secured, including connections between active payment databases and historical logs.

• Virtual machines, apps, hypervisors, or virtual routers that store or process cardholder data.

• Network infrastructure such as routers, switches, hardware firewalls, and any other equipment that connects to the CDE.

• Network servers handling cardholder data flows from sites of payment and within the corporate network. This may include web, mail, proxy, and DNS servers.

• Third parties. Any third-party applications or users with access to payment or cardholder data storage systems lie within the CDE.

The critical task when applying PCI-DSS controls is mapping connections. Any endpoint or application that can access cardholder data needs to be secured.

It isn’t always easy to discover connections between system components. But a comprehensive planning process will generate enough information to keep your data breach risk low.

How can NordLayer solutions help?

Network segmentation is a critical part of PCI-DSS compliance. It allows organizations to separate the cardholder data environment from other system components. Attackers seeking access via remote devices or insecure endpoints will find it much harder to extract cardholder data.

NordLayer can help you build a security setup that meets PCI-DSS requirements. Our PCI-DSS compliance solutions make it easy to segment networks to protect cardholder environments. With Nordlayer, you can:

• Create groups of network users and assign different network access privileges to each group.

• Create Virtual Private Gateways for specific groups, resources, or websites.

• Use IP allowlisting with Dedicated IP addresses to allow authorized users and block others.

In the near future, we will also offer Cloud firewall functionality. This will simplify segmenting cloud-based credit processing environments with granular and flexible access controls.

However, network segmentation is not a single solution. Companies must couple PCI-DSS network segmentation with other security tools to be compliant. Nordlayer can help here as well. In addition to segmentation, our tools can help you:

• Install secure remote access solutions to transmit cardholder data safely.

• Set user permissions to block unauthorized access to every network segment.

• Employ quantum-safe cryptography in tunnel encryption to hide your traffic and online activity from users on the open internet.

• Put in place multi-factor authentication for users accessing cardholder data. Ensure only trusted users can handle customer information and keep data breach risks low.

Make PCI-DSS compliance manageable by partnering with an experienced security provider. Get in touch with the NordLayer team to explore smart data security solutions that make damaging data breaches much less likely.

As healthcare providers increasingly rely on Software-as-a-Service (SaaS) applications to manage patient data, it is crucial for them to understand the importance of HIPAA compliance.

This article will discuss what healthcare organizations need to know about HIPAA compliance for SaaS and how to ensure that their SaaS applications follow industry-specific regulations.

What does HIPAA compliance mean for SaaS?

When it comes to HIPAA compliance, SaaS providers fall into two broad categories: developers and app providers and SaaS hosting services. The two groups have different compliance needs, so it’s helpful to discuss them separately.

SaaS developers and providers

SaaS developers and providers that serve the healthcare sector must ensure their products are HIPAA compliant.

HIPAA compliance means that SaaS developers and service providers adhere to HIPAA’s Security, Privacy, and Breach Notification rules. The most important section here is the HIPAA Security Rule, which has three sub-sections: technical, administrative, and physical.

Under the HIPAA Security Rule, Covered Entities (CEs) and Business Associates (BAs) must put in place protective measures to secure Protected Health Information (PHI). SaaS companies tend to fall under the Business Associate header.

SaaS providers must sign Business Associate Agreements (BAAs) with clients. These agreements set out areas of responsibility and liability. Both healthcare companies and cloud providers should be clear about sharing compliance duties and protecting patient data.

SaaS hosting services

The situation is less clear about SaaS hosting services. HIPAA security rule does not set clear guidelines for cloud computing companies hosting healthcare services. Yet, it has become increasingly important to brand cloud infrastructure as HIPAA-eligible.

HIPAA-eligible hosts offer products that clients can adapt to meet HIPAA standards. This reassures clients that shared cloud computing architecture is properly secured. The major cloud platforms offer HIPAA-eligible services, including Amazon Web Services, Microsoft Azure, and Google Cloud.

Important HIPAA compliance areas for companies and SaaS providers

Not all SaaS companies working in the healthcare sector need to worry about HIPAA compliance. For example, many health app developers won’t handle patient records if their involvement ends when the app is delivered to clients.

But this changes if DevOps teams maintain and update cloud apps for health companies. If you handle Protected Health Information or could access PHI during development tasks, you must be HIPAA compliant.

Generally speaking, HIPAA compliance is critical for providers of SaaS-based healthcare services such as monitoring apps, payment portals, or insurance management tools. And compliance is also a concern for services that host PHI on cloud infrastructure.

Specifically, healthcare organizations need to protect patient data:

• When creating patient records

• When information is received

• When PHI is at rest on cloud resources

• During transmission (if this involves SaaS infrastructure or apps).

HIPAA requirements for SaaS providers

What does the process of becoming HIPAA-compliant look like? Under the HIPAA Privacy rule, there are three main areas of focus.

Firstly, achieving SaaS data security involves creating robust technical controls. This could include encryption of data in transit and at rest. It also includes access controls to prevent unauthorized access to confidential data. Multi-factor authentication, firewall protection, and password management systems all contribute.

On the administrative side, SaaS companies must train workers to use SaaS tools safely. They must also have robust data handling policies and device usage rules to prevent the unsafe movement of patient data.

Finally, physical security measures include securing data centers via locks, authorization systems, and cameras. There should be measures to protect physical devices on and off-site and plans to guard data against natural disasters and sabotage.

Business Associate Agreements cover all three of these areas. The Covered Entity and Business Associate sign BAAs before commencing their business partnership.

The BAA describes the areas of responsibility of clients and SaaS providers. It includes details on how to achieve compliance. And it explains how partners will be liable when security breaches occur.

Sharing compliance responsibilities

Under the Privacy Rule. SaaS partners and Covered Entities have shared responsibility for protecting patient data.

Cloud Service Providers guard infrastructure and data at rest on their servers. Service users manage access control, data in transit, and how users interact with their apps. This situation applies in healthcare as well. But controls on data access are much tighter.

HIPAA-compliant SaaS hosts and providers must apply the strongest possible encryption to all confidential data. They are responsible for ensuring data is available when requested. Servers must also remain online when healthcare organizations need them.

SaaS hosts manage the physical safety of hosting infrastructure. SaaS providers handle the integrity of application code. They must guard against emerging threats like Zero Day Exploits and ensure healthcare apps are as secure as possible.

Healthcare organizations (Covered Entities) have different responsibilities. Healthcare organizations must train staff to use SaaS services safely. Every covered entity needs to educate users about safe remote access, using encryption, managing passwords, and avoiding phishing attacks.

Healthcare organizations also deal with access controls. They must ensure PHI is only available to authorized professionals or patients themselves.

Most cloud-based cyber attacks have their roots in unsafe user behavior or loose access controls. Provider-side security is critical. Yet, it’s also important for SaaS providers and hosts to tighten their HIPAA compliance.

Healthcare organizations and SaaS partners should know exactly how to share responsibility and take appropriate action to ensure watertight compliance.

Implementing HIPAA compliance measures

A robust HIPAA compliance plan ensures that SaaS companies follow HIPAA’s Security, Privacy, and Breach Notification rules. Dividing your compliance plan between the three HIPAA regulations is good practice.

Compliance plans cover many areas, and the exact make-up varies between organizations. But common elements include:

Risk management

Create risk management plans for all critical data protection risks. Risk assessment processes should include risk severity and actions required to mitigate each risk.

Project ownership

Appoint individuals with responsibility for HIPAA privacy and security management.

Security controls

This includes physical safeguards such as cameras and locks. Data protection controls are also crucial. Use encryption, access management, endpoint protection, and monitoring tools to track user activity,

Administrative safeguards

This could include training plans to educate workers and communicate HIPAA responsibilities.

Auditing

Regular compliance audits ensure controls function properly and that staff training achieves the desired results.

Systems to receive and act on HIPAA complaints

Create a secure email or phone line to report PHI violations. Organizations must make data available to patients and have streamlined processes to report data breaches to regulators.

Documentation

Create and store clear documentation outlining HIPAA compliance policies. Make documents available to staff members and regulators if needed.

Handling third parties and associates

HIPAA-compliant organizations must have solid procedures to onboard business associates. SaaS partners should be able to provide clear evidence of compliance and HIPAA eligibility (if needed).

Clients should immediately know that the SaaS provider is a dependable and secure partner. If you have not done so, plan to achieve recognized security standards such as NIST 800-53, ISO 27001, or ISO 20000-1.

How can NordLayer help?

Becoming HIPAA compliant can be challenging for SaaS developers and service providers. But if you want to thrive in the healthcare sector, a strong compliance plan is essential. Nordlayer’s HIPAA-compliant solution can help you make the changes needed when building a reputation in SaaS health provision.

Our network security solutions include the following:

• Streamlined network access controls to ensure only authorized users can access PHI.

• Secure Remote Access from all endpoints ensures equally secure and protected network access for remote and hybrid work environments without putting health data at risk.

• 256-bit AES encrypts data that is being sent between networks and reduces data breach risks.

• Compatibility with major cloud platforms such as Azure and AWS. Integrate Secure Remote Access with cloud-native controls to create a solid HIPAA security setup.

All SaaS companies operating in the health sector need rock-solid data protection that complies with HIPAA regulations. Explore your options and ensure safe access to PHI with Nordlayer’s assistance.

A discussion with Mark Rowland, Co-Founder & Managing Director at Cutec, about how they solved client problems using NordLayer and what to expect for next cybersecurity’s major challenges and possibilities.

Cutec is a Managed Service Provider (MSP) and IT support company from England. Operating in the industry for 25 years, a 20-employee expert team supports a range of small and medium clients across the UK. Whether an organization has a staff of just a few or hundreds of people, Cutec’s role is to consult companies with technical focus and accuracy to fill in the vacancy of an internal IT person for the client.

The consultancy firm fills in the IT management and knowledge gap, which is a recurring issue for many businesses, especially smaller organizations Cutec gets to consult. However, conversing with different clients revealed another concern — there’s no cybersecurity mindset. Mark Rowland, a Co-founder and Managing Director at Cutec, shares his insight on how crucial security awareness is for business continuity. 

Business case: decentralizing single-site infrastructure

The client has been with Cutec for about 6 years — during this time, the company of 30 people expanded to an almost 300-employee organization. And as this financial services provider grew into a country-wide company, it started facing security challenges.

“As for a managed IT service provider, it is important to be there for your client when they need you. It’s our responsibility to support branches dotted around different parts of the UK — online presence becomes a necessity over physical.”

Click to tweet

Being contained in one place and managing 20 people is relatively easy. However, the client business model involved advisors spread all over the country. Combine it with rapid growth during a short time and data sensitivity due to the nature of financial services — the need to protect databases, CRM, and phone systems was critical.

The foundational elements for security were there: the client had two-factor authentication, password management, and fixed IP in place. It’s secure enough for 20 people sitting in one office, but not if numbers jump to hundred users in dozen cities — circumstances urged for an extra layer of security.

An increasing number of VPN connections to internal applications started causing connectivity issues and quickly bogged the network. This was the turning point for Cutec to find a better solution for a VPN route that would ensure security.

Close-up on the solution

One of the available options for the client was to get much more powerful broadband for the HQ office, install hardware firewalls, and achieve the wanted level of security for an outrageous expense bill.

Moreover, the solution would bind everything to one location. From a disaster management perspective, it’s not sustainable for business continuity — if the power is cut off, the internet goes down, and all employees get disconnected despite their location.

The alternative was getting a NordLayer subscription. Although it meant paying per user license, it offered what the company needed — a fixed IP address that provided much-needed flexibility and stability.

Choosing NordLayer allowed upgrading and downgrading the number of member accounts as the staff comes and leaves and, most importantly, eliminating the dependence on the HQ office — if the power got cut off, server design allowed carry-on working.

Sorting out the inconvenience of in-house security

Deployment and maintenance of the on-premise solution meant a lot of man-hours. It included a remote connection to a client’s PC and setting up their VPN connection. 

NordLayer, on the other hand, provided a simple solution. The MSP had to connect to the Partner Portal and add the user, so they could complete the setup themselves — click the welcome link to install the VPN.

“The solution setup was fantastic as we looked at a massive project and a big headache. Rolling out NordLayer VPN connection to 300 people was achieved in four days. And out of 300 members, we had only five people calling for help, but that’s because they were cautious, not because they didn’t know what to do.”

Click to tweet

It’s worth mentioning that the client has no one in-house with the knowledge and expertise on cybersecurity. In this case, Cutec is an advisor and a guide for organizations’ cybersecurity strategy, closely collaborating with a single point of contact on-premise, the Technology Director, to help steer the business away from cyber threats.

Expert insights: take on SMBs security

The client scope Cutec works with is usually small-medium sized businesses without internally dedicated IT staff. Better to say SMBs have little understanding of cybersecurity. There’s a persistent tendency for a slow but inevitable change in the business mindset:

• A now-outdated perspective of ‘antivirus solves all our security problems’ was effective 10–20 years ago — today you have to think outside the box.

• Small-medium enterprises tend to give on-premise servers and migrate to the cloud more often. Core IT support is going to change. It will be more about picking the right cloud solution for people driving the migration to the cloud. Over the next three years, people will drop on-premise stuff and go to the cloud completely, and we’ll be there to help them with that.

• Cloud-edge solutions like NordLayer are going to get more popular over time. Teams work from coffee shops and McDonald’s — they connect to public Wi-Fi and hot spots and must protect their traffic with tools that work well.

A future notion on SMBs from sensitive industries

The cybersecurity landscape changed— now it’s about protecting yourself online. At our company, we notice clients are transitioning to online cloud services. The number of adopted vendors and service providers can be three, five, or a dozen online solutions and tools.

Previously, having a server in the office under lock and key with a firewall allowed us to assume that that was enough to keep the company secure. However, small businesses struggle to comprehend the gravity of cybersecurity.

“Using Office365, therefore, thinking my data is secure is a mistaken approach. Company data might be secure in the Microsoft Data Center, but is it safe where you are accessing it from?”

Click to tweet

After Covid, once people started connecting from their home PCs and smartphones, companies without proper security measures risked having their business data on employees’ personal devices.

Larger enterprises and governmental institutions already have an awareness – sometimes forced by insurance companies and bank regulations – of owning some security accreditations to filter down the risks. Meanwhile, small-medium enterprises don’t have this perception, and MSPs like Cutec help them drive in the right direction.

Our biggest challenge is overcoming the big issue of clients thinking that security is finite. Threats are layered and complex — getting an antivirus or a firewall might solve only a small part of the potential risks and gaps for threat actors to exploit. Instead, business owners and their teams must keep up-to-date with a cybersecurity mindset to guarantee business continuity.

Pro cybersecurity tips

Education on cybersecurity is increasing, and it is becoming a common topic of conversation. More and more employees and decision-makers now acknowledge a serious lack of digital security knowledge. To make the learning process easier, it’s better to ask questions and have some starting points. Here’re some pro tips you can begin with:

Explore cybersecurity to broaden your knowledge about threats and solutions for managing them. NordLayer offers layered-by-design network access solutions for all kinds of businesses and their team setups to rise to the challenges of a modern company. And at NordLayer, we care about guidance. Thus, explore our Cybersecurity Learning Center and Decision Maker’s Kit for in-depth support for building your own cybersecurity strategy.

Want to join forces to build a more resilient and aware cybersecurity landscape for businesses and organizations? NordLayer invites Managed Service Providers to seize the opportunity to join our Partner Program — reach out to learn more about it.

Cybersecurity for healthcare organizations involves protecting sensitive patient data from unauthorized access, use, and disclosure. It’s a strategic imperative for every healthcare business, but with the digitization of medical records, sharing sensitive information has become simple and, at the same time, much more exposed to cyber threats.

Cyberattacks often cause serious disruptions to patient care and lead to misdiagnosis and medical errors. Many studies have shown that ransomware attacks affected hospital mortality rates due to the lack of access to patient information. Also, as HIPAA Breach Notification Rule states, sensitive information violations can have serious financial consequences.

What other cybersecurity risks are healthcare organizations facing? And how can you mitigate them? Read on to discover the best practices for healthcare cybersecurity.

Key cyber trends for the healthcare sector

Over 93% of covered entities and business associates faced a breach in the last two years. According to IBM Data Breach Report, in 2022, the healthcare sector suffered the highest costs of data breaches. And although the number of breached records fell from 54.09 million in 2021 to 51 million in 2022, healthcare still remains one of the industries most affected by hackers. The commercial and public health sector is clearly under fire.

A new trend is a growing number of attacks through third-party vendors. Nearly 26 million records were exposed from business associates, and almost 25 million were on healthcare organizations.

Cyber attacks will continue to plague the US health sector, the Healthcare Cybersecurity Report for 2022 states. The criminal ecosystem keeps evolving and adjusting to new security measures. Threat actors will increasingly look for and exploit vulnerabilities in the systems. Also, third-party vendors are more at risk now.

Other long-term trends are seemingly unrelated geopolitical events directly impacting the healthcare industry. Since the beginning of the war, the Russian government has regularly leveraged wipers and DDoS attacks. And the same applies to Russia’s allies, such as China, North Korea, and Iran. 

Cybersecurity challenges for healthcare organizations

Let us examine why the healthcare industry is an attractive target for threat actors. There are 3 main reasons for that trend: 

• Poor risk management

Healthcare organizations deal with connected medical devices (Internet of Medical Things), employees’ devices that don’t have adequate security measures, and several third parties that access Protected Health Information (PHI) and other critical assets. Ensuring adequate cybersecurity solutions that mitigate risk and address vulnerabilities in a legacy system is critical.

• A huge value of PHI on the Dark Web

Stolen patient data can be used for malicious activities like identity theft or healthcare insurance fraud. A single medical record is valued at up to $250 on the black market, and this information is worth about 50 times more than credit card details on the Dark Web.  All this means that patient privacy is at risk of being violated.

• Financial reasons 

It’s a major security risk for the industry. Suffering a ransomware attack, for example, means paying a large amount to the attackers. 

Top 6 cyber threats for healthcare organizations

Threats for the healthcare industry come in many forms, from ransomware to theft of personal information. In 2022, the biggest security breaches in healthcare came from phishing and malware attacks.

• Phishing

Phishing targets individuals by tricking them into disclosing sensitive information, clicking a malicious link, or opening a malicious attachment. The most common telltale sign of a phishing email is that it conveys a sense of urgency or preys on fear or greed. Scammers can also use social media, text messages, and voice calls for phishing. 

• Malware

It’s malicious software installed on a computer without a user’s consent. It can steal passwords or money or perform other malicious actions. Examples of malware include a Trojan horse, spyware, adware, or a virus.

• Ransomware

Ransomware is a form of malware that encrypts files on a user’s device and locks them out until they pay the hacker money to release them. 

• Theft of patient data

Stolen patient medical records may be sold on the dark web and used for insurance fraud or identity theft. Often, data recovery is not possible.

• Insi
  der threats

These risks can come from current or former staff members or contractors and happen intentionally or by negligence. For example, an employee may accidentally click a malicious link in a phishing email or skip security protocols to make their job easier. 

• Hacked IoT devices

Hackers take advantage of vulnerabilities in devices connected by IoT, such as handheld devices, camera sensors, or CT scanners.

Top 6 cyber risks in healthcare

All the facts and statistics mentioned earlier mean one thing: cybersecurity in healthcare is a burning issue. Criminals can disrupt health businesses with malware, ransomware, or phishing. And damage the organization’s reputation and endanger patients’ lives. But apart from that, healthcare organizations are exposed to various cyber risks, such as unprotected access to PHI, human error, vulnerabilities of legacy systems, third-party vendors, and a lack of regular cyber risk audits. 

Risk 1: Unsecured access to PHI

According to new HIPAA encryption requirements, ensuring all sensitive patient data is unreadable, undecipherable, and unusable to any person or software program without access rights is mandatory. For your organization, it means implementing robust security controls that help store Protected Health Information (PHI) safely and protect it from unauthorized access.

Risk 2: Human error

82% of data breaches involved a human element, including social attacks, errors, and misuse.  according to Verizon’s 2022 Data Breach Investigations Report. Understanding how human error affects your organization can help you mitigate risks for the future. Almost one-third of such incidents involved a person abusing their use of internal resources. For example, a doctor shares access to their work-issued device with children, who click on a malicious link and download malware. 

Risk 3: Vulnerabilities of legacy systems 

Outdated technology opens doors for cybercriminals. Legacy devices and operating systems are vulnerable because they can’t update properly. This means inadequate security control and weaknesses in the system can’t be patched. 

However, some healthcare organizations delay transitioning to up-to-date security solutions because of tight budgets or complacency. They choose to fix a problem only after a system failure or a cyber attack. Deploying technology that encrypts data, monitors authorized users, and blocks unauthorized user access can help minimize cyber risks. 

Risk 4: Third-party vendors

The number of business associates that handle sensitive data has grown with the volume of electronic medical records. According to an analysis by Fortified Health Security, third-party vendors accounted for 16% of data breaches in the first half of 2022. 

In 2022, the largest third-party vendor data breach, which affected almost 4 million individuals, happened through a ransomware attack at Eye Care Leaders. The breach impacted at least 39 covered entities, as well. 

Risk 5: Compliance 

Healthcare organizations also face regulatory challenges. Protecting patient privacy according to the latest HIPAA and GDPR rules can be complex. Besides following compliance guidelines, your organization should implement the best cyber security practices. Failure to keep patient records private may result in substantial penalties and harm your reputation. 

Risk 6: The absence of risk assessments

Every healthcare organization should conduct a regular risk assessment to identify vulnerabilities and risks to the confidentiality and integrity of PHI.  The evaluation should determine your organization’s capabilities for detecting, preventing, and responding to cyberattacks. It’s also crucial to know where your sensitive information is, what threats your organization faces, and your system’s vulnerabilities and security holes. And what your action plan in case of an attack is. 

Best practices for healthcare cybersecurity challenges 

This year’s IBM Data Breach Report demonstrates no system is impenetrable. But healthcare cybersecurity is all about basic security measures that stop criminals and make them look for an easier target. What are the best practices for minimizing cyber risks? Here is a list of the strategies worth adopting: 

• Deploy verified cybersecurity software

Install cybersecurity software on every connected device and secure your network. 

• Update your software regularly

Prompt, regular updates will address patches and vulnerabilities.

• Train your staff on cybersecurity

Your employees should be aware of cyber threats and how to detect them. 

• Strengthen your system access controls 

Restrict access to your most sensitive data and monitor who accesses it.

• Conduct regular risk assessments 

Identify weaknesses in your system and mitigate risks. Determine where your sensitive information is and protect access to it.

• Ensure your business associates have strict security policies 

Some business associates have lax policies that can create problems for the healthcare organization they cooperate with. Don’t let stolen vendor credentials or data will compromise your organization. 

Cybersecurity solutions for healthcare organizations

Securing your organization from cyber threats can be overwhelming. Protecting your valuable data and critical equipment is complicated but doesn’t have to be complex. That’s why we have prepared a guide on security solutions tailored to the health industry.  

• Network security

The key to combating any external threats is network visibility and responsive protection. A solution that quickly isolates risks will prevent your network from being exposed. Setting permissions and policies for secure users and apps across multiple devices is also good. This way, you will ensure that only authorized staff will access your confidential data. 

• Application security 

The best way to secure access to your applications is to verify and authenticate every user, device, and connection. This Zero-trust approach enforces mandatory checks at every step and minimizes security gaps. It also enables your staff to work remotely and on multiple devices. 

• Endpoint security

If your devices are left unsecured, they can be a gateway for breaches, and an infected endpoint will affect your organization’s functioning ability. A comprehensive solution for endpoint protection uses data encryption and enforces unified security policies on all servers, networks, and endpoints. It also monitors 24/7 access to your resources, alerting you if there is suspicious activity. 

• Data security

Encrypting sensitive healthcare data can help conceal it from outsiders. MFA will add strength to authentication processes. Permission sets enable managing data access, meaning only authorized users can access it.  Everyone else will be blocked by default until granted the necessary privileges. Before you apply access controls, you need to classify your data accordion to its value and vulnerability. 

• Cloud data security

As healthcare organizations move their as
sets and data to the cloud, cloud services need robust protection. Cloud providers and businesses should share responsibilities to ensure data security, but this doesn’t mean you will always have a full view of your infrastructure. The provider may move data without you even knowing it. That’s why having a clear division of responsibilities is crucial. Also, you should encrypt everything in the cloud and set strict access permissions. You add IP allowlists to only connect specific IP ranges to your network. 

How NordLayer can help 

You can protect access to your sensitive data and transition your organization towards the SSE framework by implementing our solutions for Zero Trust Network Access.

NordLayer also provides an adaptive network security solution that easily integrates with your existing infrastructure and provides secure access to sensitive resources.

Contact our sales team and discover how to protect your patient data from cyber threats.

Disclaimer: This article has been prepared for general informational purposes and is not legal advice. We hope that you will find the information informative and helpful. However, you should use the information in this article at your own risk and consider seeking advice from a professional counsel licensed in your state or country. The materials presented on this site may not reflect the most current legal developments or the law of the jurisdiction in which you reside. This article may be changed, improved, or updated without notice.

The Health Insurance Portability and Accountability Act (HIPAA) is the most important data protection regulation for healthcare providers in the USA. It covers health insurers, clinics, hospitals, private practices, and developers of health apps, care settings, and pharmacies.

If you handle patient records, you need to be HIPAA-compliant. For your convenience, we have created a handy HIPAA compliance checklist for covered organizations. However, this blog looks at another critical HIPAA-related issue: the different types of violations and the penalties for breaching HIPAA rules.

Violations matter. Poor compliance causes customers to lose trust in your data protection policies. It’s only a matter of time before patients move their business elsewhere. Regulators can also issue significant financial penalties or even jail offenders in the most extreme cases.

This makes protecting sensitive data a critical task for health companies and their partners. So let’s explore the issue in-depth and explain everything you need to know about HIPAA violations.

What qualifies as a HIPAA Violation?

Before talking about HIPAA penalties, we need a clear understanding of what exactly constitutes a HIPAA violation. Fortunately, the legal definition of a violation is extremely clear.

HIPAA violations take place when either a covered entity (CE) or a business associate (BA) of a covered entity breach HIPAA Security, Private, or Breach Notification Rules.

HIPAA has three main rules. Here is a quick summary of what you need to know about them:

• The HIPAA Privacy Rule sets out protections for private health data. CEs must keep data confidential and prevent unauthorized disclosure. They must also make health records available if patients desire.

• The HIPAA Security Rule states that healthcare organizations must keep patient records secure. This includes physical, administrative, and electronic safeguards. You could see this rule as putting the privacy rule into practice.

• The HIPAA Breach Notification Rule requires CEs to inform patients about any actual or potential data breaches. Notification must occur within 60 days of the breach.

Covered entities must become familiar with these rules when creating a compliance strategy. If you suffer a penalty, ignorance of HIPAA guidelines is not a valid defense. Covered entities must be aware of their responsibilities under the law.

Business associates, third parties your company uses also need to be part of compliance strategies. If partners can access your network assets, they could potentially cause a data breach.

Deliberate versus accidental violations

The first thing to note is that violating HIPAA can be deliberate or accidental. Covered entities need policies to cover both types of violations.

Deliberate breaches could include nurses passing the health records of a celebrity to media contacts or selling records on the Dark Web. But they also extend to simply sharing patient data without the consent of the individual concerned. In these cases, penalties tend to be severe.

Deliberate breaches also include offenses where organizations fail to act when they should do so. For instance, companies may refuse to issue breach notifications to customers within the required 60-day limit.

Company policies that clash with HIPAA rules are often deemed deliberate breaches if regulators decide that the covered entity knew about the issue and was able to remove the conflict.

Accidental breaches of HIPAA rules carry less severe penalties. They could include the absence of encryption on mobile devices or failure to train staff in cybersecurity practices.

For example, physicians could click on phishing links disguised as communications from pharmaceutical partners. There is probably no deliberate or malicious breach here. But the covered entity would be liable due to poor security training and policies.

Broadly speaking, if companies fail to take action to conform to HIPAA rules, this will qualify as a breach. That’s why having a comprehensive HIPAA compliance strategy is essential.

Criminal versus civil violations

It’s also important to understand the difference between criminal and civil HIPAA breaches.

Criminal cases are mounted by the Department of Justice and are much less common than civil penalties. They deal with deliberate violations and can lead to prison sentences for individuals at the organizations involved. Offenses leading to criminal charges include:

• Wrongful disclosure of Protected Health Information (PHI)

• Wrongful disclosure of PHI under false pretenses (e.g. seeking access to medical records of patients not under the care of a physician)

• Wrongful disclosure of PHI under false pretenses with malicious intent (to sell or otherwise benefit from stealing PHI)

Most of the time, you or your staff won’t risk criminal charges. Instead, the challenge is to minimize the risk of civil cases.

Civil cases may involve behavior that is deliberate, but not malicious. Instead, civil offenses tend to involve poor risk assessment processes or simply ignorance of what HIPAA requires.

In these cases, the OCR or Attorneys General will seek a financial penalty under the HIPAA enforcement rule. Civil violations are covered by four tiers, which we will look at in more detail below.

4 types of HIPAA violations

In most instances, the Office for Civil Rights (OCR) receives complaints and decides whether organizations have violated HIPAA regulations. When the OCR deliberates, its regulators use a four-tier system to categorize potential violations.

The four tiers differ in terms of severity, with rising financial penalties. They also differ in terms of culpability. In some cases, organizations are not aware of HIPAA violations. In others, breaches are wilful and systematic.

The size of the financial penalty is related to various factors. Regulators consider:

• How long the violation has existed

• How many individuals are affected

• The value and amount of the data at risk

• Whether the organization willingly collaborates with OCR

• Whether the organization has a clean regulatory history

Tier 1 – Accidental violation

At this tier, organizations are not aware of HIPAA breaches. The organization also had no way to avoid the violation, even with complete adherence to HIPAA regulations. At this level, covered entities must show evidence of compliance. This proves that the breach could not be avoided.

Highest penalty: $100 per incident, with a limit of $50,000

Tier 2 – Aware of violation, but no remediation possible

At tier 2, organizations know about HIPAA violations before OCR is informed. In this category, staff should have been aware of the fault. But the organization could not avoid violating HIPAA rules, even while administering adequate levels of care. This level falls short of the definition of “wilful neglect.”

Highest penalty: $1,000 per incident, with a limit of $100,000

Tier 3 – Wilful neglect with remediation

At tier 3, organizations commit “wilful neglect”. This means they were aware of the violation. the covered entity could have taken action to remedy the breach but failed to do so. However, there is a caveat here. Tier 3 penalties are lower because the organization involved has taken action to remediate the issue.

Highest penalty: $10,000 per incident, with a limit of $250,000

Tier 4 – Wilful neglect without remediation

At tier 4, organizations are also guilty of “wilful neglect”. The violation was known and the organization failed to take remedial action. Breaches in this category could continue for months or years, with serious consequences for patient welfare and data protection. For these reasons, Tier 4 penalties are far higher than other categories.

Highest penalty: $50,000 per incident, with a limit of $1.5 million

The consequences of a HIPAA violation

According to US law, if a covered entity breaks the HIPAA regulations, it may face a penalty of up to $50,000 and up to one-year imprisonment. The actual consequences depend on the type and severity of the HIPAA violation, and whether they were committed by a healthcare employee or an employer, i.e., covered entities.

There are two types of violations: civil and criminal. Each category has tiers to determine penalties for a specific breach.

Civil HIPAA penalties

HIPAA violations committed without malicious intent fall into the category of civil penalties. What’s the most common reason for these violations? Most of the time, it’s because healthcare employees or covered entities don’t know the HIPAA Privacy Rule. Yet, unawareness or negligence of HIPAA standards is not an excuse for escaping a penalty.

Criminal HIPAA penalties

Intentional HIPAA violations, such as disclosing or selling personal health information, are a crime. The criminal penalties for these violations can be severe and restitution may be also paid to the victims. A covered entity that committed a HIPAA violation must settle it with OCR and state attorneys general.

The height of the criminal penalties depends on the following factors:

• the seriousness of HIPAA violations

• the length of time that the violation has been taking place

• the number of violations identified.

Who issues penalties?

HIPAA is a Federal regulation. So you might assume that penalties are issued exclusively by the Federal Government. However, the actual situation is more complex. Covered entities should be familiar with all regulatory bodies in their specific business sector.

The Office for Civil Rights (OCR)

To start with, the Office for Civil Rights processes most HIPAA violations and issues penalties. OCR is part of the Department of Health and Human Services (HHS), and it has a general bias towards negotiation instead of penalizing organizations.

As a rule, before mandating penalties, OCR will issue technical assistance and monitor voluntary compliance agreements with covered entities. However, if breaches persist, OCR will launch civil cases to demand HIPAA violation penalties. This is particularly likely if covered entities have a previous history of repeat violations.

OCR has the power to launch civil proceedings. But it can also pass HIPAA cases to the Department of Justice (DOJ) to handle criminal violations. So a violation at the federal level can lead to jail time alongside large financial penalties.

State-level Attorneys General

HIPAA penalties may also be issued at a state level by Attorneys General. Attorneys General can use powers granted by the 2009 HITECH Act to launch lawsuits against organizations breaching HIPAA rules. These suits are civil cases, so they do not lead to prison sentences. But they can result in large financial penalties.

Additionally, HIPAA violations can stretch across state boundaries. In these situations, covered entities may face lawsuits from numerous Attorneys General. This multiplies the financial cost of non-compliance.

Internal penalties

Proactive organizations may also create policies to penalize staff members when they violate HIPAA regulations. This could be developed autonomously, or in collaboration with the Office for Civil Rights as part of compliance strategies.

Internal penalties tend to range in severity and seek to deter unsafe behavior when handling patient data. They are an important data security measure, especially when deployed with mandatory security training.

How can NordLayer solutions mitigate HIPAA risks?

Violating HIPAA suggests that your data protection measures are below the standard needed in today’s digital marketplace. That’s why organizations need modern security solutions that easily adapt to the complexities of today’s hybrid working environments and HIPAA rules. All locations, users, devices, apps, and data must have the same advanced level of protection. 

With Nordlayer’s solutions, you can secure access to sensitive information, prevents reputational, legal, and financial damage, and helps achieve HIPAA compliance.  Whatever area of healthcare you work in, Nordlayer is ready to help you succeed. Get in touch and discuss your options today.

Board of Innovation is a global innovation firm imagining tomorrow’s products, services, and businesses – and creating them today. The company joins forces with the world’s most ambitious businesses to make what life needs next.

Working with prospects and new ideas requires creative flexibility that the company initially doesn’t want to block with security restrictions and limitations. On the other hand, protecting business and client data remains one of the company’s top priorities. Hence, Mehdi Lahmamsi Pinel, Global Operations & IT Manager at Board of Innovation tells how juggling those equally important things in the context of cyber threats aligns with the right security approach. 

The challenge

Trust over control within client confidentiality

The company culture at Board of Innovation is based on trust and employee enablement. These are critical elements for a creative industry. To succeed, the company is remote-first, and collaboration with freelancers and consultants of different backgrounds supplements full-time employees to generate new-of-the-kind products and services.

“Board of Innovation team is diverse as we have around 100 people of about 30 different nationalities in 60 places varying in cities, countries, and continents.”

Click to tweet

Yet, with a dynamic network of company innovators, consultants who move to client facilities, and third-party partners, IT managers face many challenges maintaining high levels of security that don’t interfere with team workflow.

“Business with client companies makes data security and confidentiality imperative, balancing it with the IT Manager’s responsibility to ensure the team works efficiently and effectively.”

Click to tweet

Board of Innovation works with high-profile companies and industry leaders. High traffic of changing projects, collaborators, and partners also requires precise supervision to mitigate the risks.

Since employees are unrestricted with their choices of how they want to work, self-awareness of the entire organization must be on board to achieve security goals. But how does one define the proper data protection standards and make security implicit yet not dominant? It’s a tough and subtle challenge for the IT manager to tackle.

The solution

Depicting minimums of must-security

With evaluation of team setup, work environments, and the need for flexibility, a VPN solution was the most straightforward tool for Board of Innovation. It enables many different security protocols defined in the company. One of the policies is establishing a safe connection to the company network — this is where NordLayer comes into play.

A newly assigned IT manager started by reviewing the then-current cybersecurity strategy applied in the organization. Deployed by the previous responsible manager, Board of Innovation already had an ongoing NordLayer subscription. Yet, it needed a strategy that fits company culture to its benefit.

“I’ve started by revisiting and improving the existing cybersecurity setup. NordLayer was there but not utilized to its fullest potential.”

Click to tweet

So what needed to be added to create a sound cybersecurity strategy that works?

The company has a secure network access solution in place. VPN is a mandatory factor of encrypted connection, and every organization member has to familiarize themselves and agree to data protection policies.

“Whether our collaborators and employees use personal or corporate devices for the job, they must acknowledge internal IT security policies to follow.”

Click to tweet

Board of Innovation follows a streamlined approach to managing its workforce — company policies define access levels to internal data. To put policies into force, corporate devices became a connecting point for every user with access to company resources.

“Mandatory apps like NordLayer and tools for password management, specific internet navigation, and work organization are pre-installed by default. That’s how we enforce security via device management on corporate devices.”

Click to tweet

Having the tools that fulfill internal and client data security requirements relieves the security manager from dependency on employees. And having those corporate devices set up and readily distributed to the hands of the workforce is half the job done.

Users have to launch VPN once connecting to untrusted networks wherever and whenever they work, and the admin can supervise the whole process if the rules are followed.

Why choose NordLayer

Creative freedom and trust are the fou
ndation of the Board of Innovation culture. Thus, any tools and solutions used to keep up with the security requirements must be convenient and simple, enabling and not disrupting the workers.

The organization decided to keep the NordLayer solution due to its user-friendliness. Moreover, the well-known service provider has to sustain being a reputable vendor of a safe and efficient solution.

Role and endpoint management leaves more space for protecting digital company assets by enforcing authenticated user identities. More granular network access segmentation enables careful supervision over the organization members. 

How NordLayer enables data security on different network layers

Systems and policies allow the IT manager to achieve consistency in business processes and operations. Having an overview on the NordLayer dashboard makes it easier to see who complies with the rules, like having the 2FA enabled. Moreover, or get a report of the connection history.

The outcome

Streamlined consistency aligned with internal policies 

Now, Board of Innovation has all workforce onboarded to the NordLayer solution. The solution present in every corporate device and combined with two-factor authentication makes it easier for the IT manager to ensure policies are up and running.

“We distribute NordLayer licenses to all organization members and contributors as a basic rule in our company. We aim to reinforce security policies in as many places as possible.”

Click to tweet

The remote network access solution enables the organization to collaborate with various clients, partners, and freelancers. Managing access to internal resources and project information creates barriers to stopping data leaks and breaches. And importantly, security policies don’t overcome and interrupt innovators’ creativity and workflow.

“Using NordLayer is so easy — simply open the user interface, choose a gateway, get connected, and here you go.”

Click to tweet

All that is left for the IT manager is to distribute access and privileges to internal resources according to the company policies and check that everyone is on board with the process. 

Pro cybersecurity tips

Sharing best practices is what helps businesses of any industry innovate in their own way of security. Creating a strategy for protecting the company network and securing information of different levels can be based on the most unconventional and unexpected advice. Thus, this time just like every time, we asked Mehdi Lahmamsi Pinel, the Global Operations & IT Manager at Board of Innovation, to share his professional insights on business cybersecurity:

Have you ever hesitated to impose security policies because they might overcrowd business operations and disrupt employees’ daily work? Creative freedom and simplicity can remain a priority since cybersecurity doesn’t have to become dominant yet effective and efficient.

NordLayer solution secures and enables every way of working, even if you want to prioritize trust and flexibility. The application, running in the background, simply does its job encrypting connections and segmenting the teams wherever the employees are. They can combine organization-provided devices with personal endpoints securely enabling BYOD policy within the company and IT managers can attend to their work stress-free. Sounds good? Reach out to learn more about NordLayer possibilities.