In the past year, many hacking attempts were detected worldwide, and many of them were successful. Data security is becoming more and more important in an increasingly digital world. However, all too often it is still very easy for cybercriminals to pursue their illegal activities, even though many flaws in IT security could be prevented rather easily.

Hackers do not solely focus on corporate targets

Criminals have got their eyes on data- this trend from past years has continued in 2018 as well. Last year, hackers successfully managed to get their hands on sensitive data and proprietary information, which they were then able to capitalise on. To do so they do not necessarily need to use the illegitimately acquired data themselves, nor do they need to be able to sell it. All they need to do is encrypt the accessed data in their victims’ system and demand a ransom to decrypt it again. 

Last year, attackers had their sights not only on corporate targets: they have increasingly come to realise and appreciate the potential value universities and medical facilities can have for their illegal purposes. Other important areas for attack were found in so-called critical infrastructures, such as industrial control systems. For those affected, the financial damages inflicted by cyberattacks are typically enormous; in the aftermath of such attacks, great efforts have to be made to re-establish IT security.

 

For hackers, e-mail is one of the main gateways to compromising their victims’ IT system. E-mail is by far the most-used method for communication in business – in 2018, worldwide over 280 billion e-mails were sent and received daily.

Undertaking an objective and scaled assessment of IT security and data breaches is not an easy endeavour. What factors play the biggest role? Is the amount of hacked data (or of affected users) to be deemed more important than the value of the data? Or is the financial damage that was caused by the attack a more important criterion than the ramifications that result from facilities whose IT systems were crashed?

Here, we list our top 3 data and security breaches of 2018; cases that best illustrated the most common problems and most clearly showed the grave consequences that can result from flaws in IT security. 

 

Top 3 data and security breaches of 2018

Number 3: Fürstenfeldbruck Hospital

In November 2018, a virus crashed the entire IT system of Fürstenfeldbruck hospital in Germany for several days. During that time, approximately 450 computers could not be used, and it was no longer possible to contact the hospital via telephone or e-mail. Patients could only be admitted to a limited extent, and patient data had to be recorded with pen and paper. Employees had to take care of tasks manually that used to be routinely executed by computers – ranging from documentation of medical treatments to the patients’ menu plan. Additionally, the hospital had logged out of the rescue control centre so that only life-threatening emergencies were taken to Fürstenfeldbruck hospital. A Trojan, hidden in an e-mail attachment, was the root cause for the fact that not a single computer in the hospital could function. After the attachment had been opened, the virus was able to quickly spread throughout the network and start causing damage. 

Number 2: US universities

In March of last year, the US Justice Department filed charges against nine Iranian citizens. They are alleged to have infiltrated, among other institutions, 144 universities in the United States. The attacks were conducted by spear phishing via e-mail; professors and other members of university were led to click on malicious links and tricked into entering their network credentials. The hackers attacked 100,000 user accounts overall and gained access to 3768 of them in the United States. According to the US Justice Department, the hackers stole 31 terabytes of data that contained proprietary information worth $3 billion

Number 1: UnityPoint Health

In 2018, hackers twice successfully attacked the medical care provider UnityPoint Health. First, at the beginning of the year personal data of 16,000 patients was affected by a phishing attack. However, the second cyberattack that occurred just a short while later was significantly more serious in its outcome. Yet again, hackers managed to infiltrate UnityPoint Health’s system via e-mail. They used a targeted phishing attack, where e-mails were seemingly sent by an executive of UnityPoint Health. As a result of this infiltration, hackers had access to internal e-mail accounts from 14 March to 03 April. Data of 1.4 million patients was affected, including medical data and treatment details, lab results, and insurance information. In some cases, even financial transactions were exposed.

 

Is protection against cyberattacks sufficiently prioritised now?

Hackers conducted their attacks in many ways in 2018, and 2019 will certainly be no exception to this. Sometimes it was an insufficiently secured server that became easy prey for cybercriminals, other times it was an elaborate phishing attack that fooled users. What all these cases had in common is that successful cyberattacks had grave consequences for those affected and often came at a high price.

Unfortunately, it appears that the alarms set off by attacks such as “WannaCry” have not been enough to result in appropriate IT security. Early last year, for example, all 200 British NHS trusts tested for cybersecurity failed – a clear indication that, despite all efforts up to this point, there does indeed remain a lot to be done.

GDPR has been in force since May 2018, manifesting a higher sense of priority that politicians placed upon data protection. Businesses now require a security strategy for their communications, since security breaches that violate data protection can result in severe financial penalties – another incentive to act and establish meaningful protection from cyberattacks. It is therefore no longer left up to the businesses’ discretion and moral stance on data protection whether they protect their data (inventory) or not.

But what is the main gateway for cyberattacks? Where is protection most urgently needed? The overwhelming majority of malware is transferred via e-mail; according to Verizon’s 2018 Breach Investigation report, it is a staggering 92 percent. With respect to attacks via e-mail, phishing is the most effective method for hackers, now executed in a more targeted way than ever before. Therefore, an increasing number of IT security experts consider phishing e-mails the biggest security threat they are forced to find an answer to.

Secure your business communication!

All over the world, e-mail is an accepted standard for business communication. Unfortunately, this is also the case for the majority of cyberattacks, as they are very often initiated by hackers via e-mail as well. However, this can also be an advantage for users: If they secure their e-mail communication sufficiently, they have already averted a significant percentage of cyberattacks!

The first step in securing e-mail communication is encryption. This way, transferred content can only be read by its sender and intended receiver(s). With Cryptshare, this is ensured. Additionally, when using Crypthshare, there are no longer any file size limits. Files attached to e-mails are very frequently a rich source for hidden Trojans, as was the case with Fürstenfeldbruck hospital. With Cryptshare, this is a thing of the past. Attachments are separated from the e-mail, checked for malware, and then stored on a server for the recipient to download.

Ease of use is paramount for any communication solution, since even the best solution is useless if users do not apply it. Thanks to its seamless integration, Cryptshare can be used in familiar work environments and requires neither laborious training, nor is it time-consuming to use.

Finally, the most important factor for data protection is the users themselves. It is often human error that precedes the biggest data and security breaches – and such errors are not external threats but come from within. This is often underestimated and is particularly problematic as unintentional violations of IT security are significantly harder to prevent. Therefore, it is crucial to raise users’ awareness for IT security risks to empower them to identify cyberattacks early on and to eliminate human error as much as possible. Particularly when it comes to phishing attacks via e-mail, intensive training is indispensable. When users are informed about the risks and are also provided with the appropriate tools to conduct their business communication in a secure way, this results in effective protection against cyberattacks.