Military-grade cybersecurity is crucial for the most regulated companies in the market.

• Regulated industries must assess whether they are taking adequate measures to improve their cybersecurity standards as cyber threats become more advanced.
• Cybersecurity measures for regulated industries prioritize prevention over detection and are highly proactive, according to some cyber experts, following hacks and system failures at AT&T, United Health, and Delta Air Lines.
• Organizations in regulated industries face significant hurdles when designing cyber defenses, including high costs, the need for specialized personnel, and potential compatibility issues with existing systems.

Hackers are taking advantage of CrowdStrike's IT outage on July 19 by posing as legitimate support sources in phishing campaigns, in an attempt to gain unauthorized access to corporate networks.

"According to Javad Abed, an assistant professor of information systems at Johns Hopkins Carey Business School, when your system is down, it presents the best chance for hackers to compromise your data. Therefore, multiple layers of security are necessary, and redundancy is crucial. It is essential to assume that threats will occur and construct your security around zero trust."

The CrowdStrike incident, which caused disruptions in healthcare, airlines, and financial services, and cost Delta Air Lines an estimated $500 million, highlights the vulnerabilities that can occur even with the advanced capabilities of leading cybersecurity firms. This incident underscores the need for a reassessment of current defenses, especially in regulated industries where the stakes are high and the threats are constantly evolving.

Are regulated industries taking adequate measures to improve their cybersecurity standards amidst the growing sophistication and persistence of cyber threats?

Abed believes that more should be done to address the issue of security being viewed as a cost by business owners. He stated, "Spending money on security is an investment and should not be considered a cost." He advised finance, health care, and other regulated industries to consider their specific needs and use military-grade components to tailor their defenses.

Abed describes military-grade cyber defense as a highly proactive approach that prioritizes prevention over detection through advanced threat intelligence, real-time data analytics, machine learning, and predictive modeling. He notes that it employs the highest encryption standards and complex access control systems, often incorporating biometric verification and smart cards. In contrast, Abed explains that traditional cybersecurity methods primarily focus on detection and response, utilizing less stringent encryption and simpler authentication methods.

Implementing military-grade cybersecurity can be challenging due to high costs, the need for specialized personnel, and potential compatibility issues with existing systems. As Abed pointed out, some military-grade strategies may interrupt the operation or cost more than the revenue, making it unwise to employ them.

Gradually, they can implement the technologies, controls, and strategy by assessing how much they can compromise in various aspects of their business process.

Regulated industries are a prime target

In 2024, industries that handle sensitive information are at a higher risk of data breaches, with health care, finance, and industrial sectors being the most affected. The cost of data breaches in these industries ranges from $9.77 million to $6.08 million, with technology not far behind at $5.45 million per breach, according to the latest annual report from IBM and the Ponemon Institute.

Cole Two Bears, vice president of security services at ThinkGard, stated that these industries have strict cybersecurity requirements. He emphasized that non-compliance can result in significant fines, with the amount varying based on the level of negligence and whether the violation was promptly corrected. He added that the risk of data breaches is not limited to the U.S. In 2022, Didi was fined over $1 billion by China for breaking data security laws, and Amazon faced an $877 million fine in 2021 for violations of the European Union's General Data Protection Regulation.

Cyber threat landscape

Since 2023, there has been a 180% increase in the use of vulnerabilities as an initial access point for breaches, according to the 2024 Verizon Data Breach Investigations Report. On average, it takes organizations 55 days to remediate 50% of critical vulnerabilities, providing threat actors with enough time to exploit weaknesses.

While vulnerability exploitation is a common method used by cyber criminals to infiltrate organizations, human error accounts for the majority of incidents, including employees falling victim to phishing attacks and mishandling data internally. Credential attacks accounted for 33% of breaches over the last decade, and supply chain attacks, involving third-party vendors or partners, increased from 9% to 15% since 2023. The number of ransomware attacks worldwide grew by 74% in the past year, and significant breaches in the past year include AT&T's massive data breach, exposing nearly all of its 241 million wireless customers; the Cencora breach, affecting data from 11 major drug companies; and the cyberattack on UnitedHealth's Change Healthcare, compromising data from an estimated one-third of Americans and costing $22 million in ransom.

According to Two Bears, generative AI is the primary reason for things to deteriorate further. He also mentioned Gen Z as a growing threat. Over the next five years, if the economy does not improve, Gen Z may be more likely to commit fraud due to their hopelessness about their economic future in America. Therefore, it is essential to be concerned not only about external threats but also internal users.

The economic downturn serves as a driving force, particularly in the tech and IT sectors, prompting employees to engage in more deliberate attacks within their organizations.

Gary Orenstein, chief customer officer at Bitwarden, emphasized that while military-grade cybersecurity provides strong protection, the human element is still crucial. Industries that are regulated must strike a balance between utilizing advanced technology and effectively managing personnel and educating employees to safeguard against constantly evolving cyber threats.

"In the end, it all boils down to individuals," Orenstein stated. "The majority of security breaches can be traced back to employees who lack proper habits. It's no longer possible for individuals to ignore this issue because the repercussions are too severe."

Dashlane's chief technology officer, Frederic Rivain, believes that human error is the most common infiltration method and that education is crucial, rather than relying on military-grade defenses.

Rivain emphasizes the importance of best practices and tools to guide employees in ensuring security is a lot of common sense, including proper credential hygiene and avoiding unnecessary risks.

Generative AI tools are making it harder for recipients to identify phishing emails, regardless of employee education, according to Two Bears.

"Although multifactor authentication is crucial and necessary, it's not enough on its own. You must also have multiple layers of security to prevent threat actors from gaining access."