Highly regulated industries are under increasing threat from cybercrime
Organisations in highly regulated sectors face daily pressures on all aspects of their businesses. Cybercriminals consider the data held by those in financial services, insurance, or healthcare particularly valuable due to the nature of these sectors. Therefore, the threat cybercrime poses to highly regulated organisations is growing and rising constantly.
Attacks are also increasing in sophistication and frequency. Cybercriminals are finding new ways to access systems and data, sometimes without the company even realising it has been compromised.
Attacks increasing all of the time against highly regulated sectors
The international law firm RPC has found that cyber breaches reported by UK financial services companies more than tripled from 187 between July 2021 and June 2022 to 640 between July 2022 and June 2023—a considerable increase highlighting the threat facing such regulated sectors. The UK pension scheme sector saw the most significant growth, with reports of breaches going up by 4,000 %.
Equally, US research has shown that cybercriminals target another highly regulated industry: healthcare. The research found that 106 million US citizens were impacted by cyber-attacks undertaken against healthcare organisations in 2023, the equivalent of 1 in 3 Americans. This is double the number of individuals affected in 2022. It is not just in the US, either. Ransomware attacks hit 81% of UK healthcare providers in 2022. With 38% of providers paying the ransom, it becomes clear why cybercriminals are upping their efforts to target highly regulated sectors.
Regulated sectors face numerous challenges
By nature, organisations within highly regulated sectors face complex challenges that can disrupt their ability to defend themselves effectively from cyber-attacks.
They are surrounded by regulatory landscapes that impact almost every aspect of their business, and ensuring adherence to them is an all-encompassing task. This is set against stagnant or decreasing budgets, making decisions on where to allocate money increasingly difficult. This is especially so for smaller organisations with fewer resources.
Another major challenge for organisations providing customer/patient-facing services is aligning regulatory and budgetary restraints while ensuring decisions do not impact front-line services. This continuous effort to balance and manage regulatory, budgetary, and service pressures can mean that the most immediate demands take priority over future threats.
As a result, cyber security can often take a back seat in the priority list, which can be dangerous for those in highly regulated sectors.
Cyber threats are on the rise for financial services, insurance & healthcare sectors. Attacks increasing in sophistication and frequency. Importance of operational resilience Share on XCyber security should remain a continuous priority
As we have seen, the threat from cybercriminals is growing all of the time, and the result of any breach can be disastrous from a financial, regulatory and reputational perspective. Therefore, all highly regulated organisations should be looking to ensure that systems are secure and that any vulnerabilities are closed.
This may seem huge and somewhat daunting, considering all that companies have to deal with. However, cyber security must remain a priority for highly regulated companies. Although regulations can play an important role, they cannot be seen as a complete solution.
Too often, adherence to regulation can be treated as a tick-box exercise and quickly forgotten once compliance has been achieved, especially when so many other challenges have to be dealt with. The continuously evolving threat from cybercriminals means that this is not an effective way of defending systems. Adherence to regulation should be seen as a starting point rather than the endpoint, and it has to be approached with a proactive mindset.
Regulatory authorities are starting to help
Regulatory bodies have started introducing various steps to encourage highly regulated companies to ensure that cyber security is an ongoing and integral part of the business.
The US Department of Health and Human Services (HHS) has added cyber security goals to help prioritise implementing high-impact cyber security practices in healthcare organisations. Split between Essential and Enhanced goals, the HHS is providing healthcare organisations in the US with a plan to ensure cyber security remains a priority and is implemented throughout organisations.
Similarly, in the financial services sector in Europe, the DORA regulation aims to ensure that companies in that sector are robust in the face of a cyberattack or other IT incident. DORA will apply from January 2025 and will likely be robustly policed. Financial services companies must prove they can continue with day-to-day business even if a cyberattack occurs or they lose access to their IT systems for other reasons.
How can IT consultancies help fight cybercrime?
With the threat from cybercriminals increasing, budgetary pressures on companies in highly regulated organisations ramping up, and regulatory bodies implementing new steps to ensure IT systems are robust, it is understandable that keeping cybercriminals out is a hugely daunting task for some, especially smaller companies with fewer resources. This situation calls for a focused approach to operational resilience and risk management.
Some are turning to consultancies that can help internal teams monitor and understand the nature of the new threats. They can close front-line defences and monitor potential vulnerabilities in supply chain partners’ systems, often offering cybercriminals an accessible route. Experts in IT consultancies are also well-placed to ensure adherence to regulations and that cyber security is an ongoing and well-maintained part of the IT function, addressing supply chain attacks, third-party risk, and operational resilience.
The consequences of being breached are more severe than ever. Cybercriminals actively target highly regulated industries, so cyber defences cannot be lost under other day-to-day pressures. Turning to IT consultancies can take some pressure off internal teams while ensuring the best possible chance of keeping cybercriminals out, enhancing incident response and operational resilience.