• As cyberthreats become increasingly sophisticated, regulated industries need to look at whether they're doing enough to elevate their cybersecurity standards.
• Military-grade cyberdefense for regulated industries is heavily proactive and emphasizes prevention over detection, and some cyber experts say it is critical after hacks and systems outages at AT&T, United Health and Delta Air Lines.
• High costs, the need for specialized personnel, and potential compatibility issues with existing systems are significant hurdles that organizations must consider when designing cyber defenses for regulated industries.

As organizations scramble to patch vulnerabilities caused by CrowdStrike's massive IT outage on July 19, hackers are exploiting the situation by impersonating CrowdStrike in phishing campaigns, posing as legitimate support sources for affected businesses to gain unauthorized access to corporate networks.

"When your system is down, it creates the best opportunity for hackers to compromise your data," said Javad Abed, assistant professor of information systems at Johns Hopkins Carey Business School. "That's why multiple layers of security are crucial. Redundancy is key. You need to assume 100% that threats will happen and build your security around zero trust."

The CrowdStrike incident — which disrupted health care, airlines and financial services, among others, and cost Delta Air Lines alone an estimated $500 million — is a stark reminder that despite the advanced capabilities of leading cybersecurity firms, vulnerabilities can and do occur, prompting an urgent reassessment of current defenses, especially in regulated industries where the stakes are exceptionally high and the threats ever evolving.

This brings a crucial question to the forefront: In an era where cyber threats are becoming increasingly sophisticated and relentless, are regulated industries doing enough to elevate their cybersecurity standards?

According to Abed, more needs to be done. "Business owners still see security as a cost. That's what causes many problems," he said. "Spending money in security is an investment and shouldn't be considered a cost." Finance, health care and other regulated industries should consider their specific needs and tailor their defenses with military-grade components, he added.

Abed defines military-grade cyber defense as heavily proactive, emphasizing prevention over detection through advanced threat intelligence, real-time data analytics, machine learning, and predictive modeling. He says it also uses the highest encryption standards and sophisticated access control systems, often incorporating biometric verification and smart cards. Conversely, Abed explains that traditional cybersecurity methods focus more on detection and response, using robust but less stringent encryption and simpler authentication methods.

The implementation of military-grade cybersecurity is not without challenges. High costs, the need for specialized personnel, and potential compatibility issues with existing systems are significant hurdles that organizations must consider. "Some military-grade strategies may interrupt the operation or cost more than their revenue, so it may not make sense to employ it," Abed said.

The solution? A hybrid model, he says, makes the most sense. "Little by little, they can employ the technologies, the controls and the strategy by analyzing how much they can sacrifice in different aspects of their business process."

Regulated industries are a prime target

Organizations that handle sensitive information are a prime target for breaches. In 2024, regulated industries have witnessed a significant increase in both the number and cost of data breaches. The most affected industries are health care ($9.77 million per breach), finance ($6.08 million per breach), and industrial ($5.56 million per breach), with technology not far behind, at $5.45 million per breach, according to the latest annual report on the cost of data breaches from IBM and the Ponemon Institute. 

These industries have stringent cybersecurity requirements, said Cole Two Bears, vice president of security services at ThinkGard, adding that non-compliance comes with hefty fines, depending on the level of negligence and whether the violation was corrected promptly. The risk isn't limited to the U.S. In 2022, ride-hailing service Didi was fined more than $1 billion by China for breaking data security laws and Amazon faced an $877 million fine in 2021 for violations of the European Union's General Data Protection Regulation.

Cyber threat landscape

The exploitation of vulnerabilities as an initial access point for breaches has seen a 180% increase since 2023, according to the 2024 Verizon Data Breach Investigations Report. On average, it takes organizations 55 days to remediate 50% of critical vulnerabilities, giving threat actors ample time to exploit weaknesses.

However, vulnerability exploitation isn't the only method cyber criminals use to infiltrate an organization. According to the Verizon report, human error accounts for 68% of incidents, including employees falling victim to phishing attacks and mishandling data internally. Credential attacks accounted for 33% of breaches over the last decade, and supply chain attacks, involving third-party vendors or partners, increased from 9% to 15% since 2023. The number of ransomware attacks worldwide grew as much as 74% in the past year, according to Director of National Intelligence Avril Haines at a hearing on global threats in May.

Significant breaches in the past year include AT&T's massive data breach, exposing nearly all of its 241 million wireless customers; the Cencora breach, affecting data from 11 major drug companies; and the cyberattack on UnitedHealth's Change Healthcare, compromising data from an estimated one-third of Americans and costing $22 million in ransom.

"Things are going to continue to get worse," said Two Bears, citing generative AI as the biggest reason. He points also to Gen Z as a growing threat. "Something we're going to see over the next five years, unless the economy improves, is Gen Z willing to commit fraud, because they have such a hopelessness to their economic outlook here in America. So we not only have to worry about the threats coming from the outside, you also have to worry about your internal users," he said.

Abed agrees. "The poor economic condition is a motivator, especially in the tech and IT fields. Employees inside the organizations will do more intentional attacks."

While military-grade cybersecurity offers robust defenses, the human element remains critical, and regulated industries must balance advanced technologies with effective personnel management and comprehensive employee education to protect against ever-evolving cyber threats, said Gary Orenstein, chief customer officer at Bitwarden.

"Ultimately it comes down to the people," Orenstein said. "Most breaches are drawn back to an employee who doesn't have the right habits. I don't think it's an option anymore for people to skirt this, because the consequences are too drastic."

Frederic Rivain, chief technology officer of Dashlane, holds a contrarian view on the need for military-grade defenses. He argues that human error remains the most common infiltration method and believes education is crucial.

"Security is a lot of common sense. You need to ensure employees have proper credential hygiene and aren't exposed to unnecessary risks," Rivain said. He emphasizes the importance of best practices and tools to guide employees.

But Two Bears says that regardless of employee education, the increasing use of generative AI tools to craft highly realistic phishing emails makes it harder for recipients to identify them as fraudulent.

"Multifactor authentication is important, and you must have it, but you still need to have multiple layers," Two Bears said. "Without it, threat actors can still gain access."