Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
Having covered the start-up vs corporate question before, we thought we would look into which industry is currently most at risk of cyber attack. According to the Wikipedia entry ‘list of data breaches’, which contains a list of data breaches (spoilers), out of 255 data breaches over the last 15 years, historically, the hardest hit industry was ‘web’. Now, this raises several questions. Firstly, what am I doing using Wikipedia for research purposes? Well, that’s easy enough to answer. It got me through university and I’m not about to change my habits now. Secondly, what is meant by web? One would assume it’s a business whose revenue is entirely dependent on online activities. That seems a solid theory to go on until Sony Pictures turns up in this category and ruins everything.
The second most hit industry on this list is more interesting and just a little bit concerning: healthcare. The healthcare industry has suffered a good many data breaches over the years. I don’t want to bring up the whole WannaCry NHS incident again, but we’re talking healthcare and cyber security, so it’s inevitable. Whilst not technically a data breach, this attack temporarily crippled many branches of the National Health Service.
According to various sources, which have given their top five industries most likely to be hit by a cyber attack, healthcare sits at the number one spot. There seems to be little consensus as to what makes up the other four, but everyone’s in agreement that healthcare is set to be bombarded by digital ne’er do wells.
This is not particularly surprising as hacking has rarely been particularly focussed. Criminal groups tend to operate independently and are simply looking for ways to monetise their misdeeds and it ultimately comes down to hacking what they can. Given the state of many healthcare organisations’ IT setup, this makes them a top target. State-backed campaigns and corporate espionage is a different box of frogs altogether, and trying to say anything concrete on that in these charged and precarious times is difficult.
Attacks on this kind of institution are worrying for obvious reasons. If someone gets hold of your personal data by hacking a retail company, they’re likely to get email addresses and passwords. In a worst-case scenario, they’ll get credit card details (unencrypted if the company is particularly negligent). A data breach in healthcare could see highly sensitive data fall into the wrong hands. Medical histories, prescription details, addresses and a lot more could suddenly find its way onto the dark web. It’s not inconceivable to suggest that hackers could use this information to fraudulently obtain prescription drugs to then sell on, just as it’s entirely plausible that malicious actors could alter records, putting patients at risk.
You may think that those clever doctors and nurses staffing the world’s hospitals will be able to pick up on this sort of thing. However, recently, a computer error led to a patient getting 38 times his dosage. I’m glad that the biggest mistake I can make is putting an apostrophe in the wrong place, and even then, it doesnt’ really matter.
Perhaps most worrying of all is the fact that scanning activity and even malicious software has been detected on complex medical equipment, such as x-ray machines. Theoretically, if hackers can infect an X-ray machine, they can influence what it does. I’m not trying to suggest that they could give people a more potent blast of radiation than expected, but that’s only because I don’t know how X-ray machines work. The more likely scenario would be that they can be rendered unusable, causing delays in treatment and a tighter squeeze on already strained services, not to mention a distinct lack of superheroes.
Whilst there is the possibility that the healthcare industry might be an appealing target for a state-sponsored attacks, the main reason it’s so susceptible at the moment is due to our old friend, out-of-date software. This potent issue was highlighted as the biggest threat in our 2019 Cyber Security Report.
Understandably, the healthcare industry is always the last to update their software. In every hospital there are a lot of computers that are needed to fulfil a lot of different tasks. Most people in hospital are forced by circumstances to be there and coming back a week later, because it is undergoing a technical overhaul, is rarely an option.
Vulnerabilities are being discovered all the time. Whilst most companies (broadly speaking) have the time and resources to update their equipment and software as and when, healthcare institutions worldwide do not. Resources are perennially stretched, and they’re keeping people alive 24/7.
To a certain degree, there’s no such thing as ‘out of hours’ for a hospital. This often means, hacking methods that are ineffective elsewhere are successful here. Hacking groups are not necessarily known for their strong morals, so the fact that they risk damaging patient care is not likely to stop them. As stated previously, hackers hack what they can. Outdated software means they can with ease.
No other word in the English language is as simultaneously boring as it is profound. The world is effectively run on a budget, and the healthcare industry has an incredibly finite one. Financial restraints also prevent hospitals and care homes from upgrading to more secure operating systems.
Much of the NHS is being kept afloat by Windows 7 or even XP – which is by no means a bad OS, but its final release was ten years ago, and new vulnerabilities are discovered regularly. In some cases, the healthcare industry is so far behind technology wise, that upgrading en masse is not financially feasible. Instead, medical organisations will have to upgrade bit by bit.
Of course, in the wake of that (yes here it comes again) infamous WannaCry incident which took advantage of the EternalBlue exploit, deals have been struck to get the NHS upgraded to Windows 10 as soon as possible. Across the globe we seem to be waking up to the threat of a cyberattack in any and all areas. However, the fact that security will soon be ramped up may mean in the short term, we see a surge in malicious activity. Hackers will be desperate to get in there before it’s no longer possible.
First of all, healthcare organisations need to upgrade their systems. It’s a hard task, but it is essential. After that, regular security audits, training, penetration tests, and active monitoring needs to take place. Usually, the first stage of an attack is reconnaissance. Scans are launched against an organisation, probing for a way in. If a business is monitoring the right things, all suspicious scanning can be investigated, and offending IPs can be blocked at the perimeter.
Not just that, many healthcare providers could benefit from active threat hunting. Trained security analysts can investigate other suspicious activities. From unexpected logins or user behaviour to potentially malicious files being transferred and file alterations, anything can be picked up quickly and resolved before any damage is done. We’ve protected businesses from persistent threats that could well have been passed off as nothing if left to monitoring alone.
This may not seem entirely feasible for the likes of the NHS, though certain individual trusts have been moving towards SIEM technology. Adequate segmentation could allow for monitoring to take place on certain problem areas, i.e. the publicly facing assets.
Whilst healthcare may sit at the top of everyone’s ‘at risk list’, if the right steps are taken this will certainly change. The right steps will be taken out of necessity should a pattern of attacks emerge. In a wider view, it’s important to realise that every industry is at risk and can be targeted at any moment. Hackers are many and varied, they are not all motivated by the same goal and going after the same targets.
All organisations are responsible for their own security posture. This can be strengthened by strong app design and infrastructure management, which can be tested with a thorough penetration test. Ongoing active monitoring with can add another line of defence and help with remediation and forensic investigations. Make sure you’re doing your bit to ensure your industry doesn’t creep to the top of the list.
Joseph is a Communications Executive and Security Blogger who has contributed articles covering a range of topics including staying ahead of cyber threats.
Consultant-led cyber security assessment to assess your risks & boost business resilience. Find the next step in your strategy with this insightful review.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.