While businesses might have become more prepared for direct cyberattacks, 2023 demonstrated that unfortunately a business is only as secure as the organizations within their environment. Third-party risk, which is to say any risk to an organization by external parties in its ecosystem or supply chain, was the headline culprit in 2023. This was greatly due to the extensive impact of the CLOP ransomware gang’s exploitations of the MOVEit Transfer vulnerability as well as the rise of social engineering attacks like business email compromise (BEC).
Kroll handles thousands of incidents every year and saw evidence of this breach having a significant impact on the most breached industries. In this year's Data Breach Outlook, Kroll ranked which industries continue to top the charts.
The Finance Sector Overtakes Healthcare for Most Breached Industry
In 2023, finance was the most breached industry, accounting for 27% of the breaches handled by Kroll, compared to 19% in 2022. While in the spotlight for 2022, healthcare dropped to second place, yet still accounted for 20% of breaches. This is only slightly less than in 2022 where it accounted for 22% of breaches.
The financial sector is an attractive target for cyber criminals not only for the immediate financial gain but also due to the wealth of sensitive customer information it holds. However, the 2023 increase in data breaches is likely due to the CLOP ransomware activity impacting small- to mid-sized regional banks. Further, Kroll also observed several casess in which financial institutions were affected by the CLOP exploitation when a third party they worked with was posted to the victim shaming site, exposing data related to their customers. This type of activity and its impact underscores the fragility of organizational interdependence and the extent of third-party risk.
Further, the professional services moved up from fifth most targeted industry to third in 2023. This could be due to the steady rise in BEC cases particularly affecting this industry, with a high concentration of this activity related to legal firms from the BLACKCAT ransomware gang. Indeed from Q1 to Q3 of 2023, Kroll saw BEC attacks increase by 21%.
Third-Party Security Risks Caused Ripples Across Multiple Industries
While the finance and healthcare sectors battle it out for a gold and silver medal yet again, perhaps a more interesting story is found in the middle of the chart.