Cyber security threats are arguably the most significant dangers organisations face – but as we explain in this blog, the problem is worse for some sectors than others.
After our sister company reviewed more than 1,000 publicly disclosed security incidents in 2020, we’ve highlighted the five sectors most vulnerable to cyber attacks.
1. Healthcare and health sciences
For the second year in a row, the healthcare and health sciences sector was the most vulnerable to cyber security breaches.
IT Governance recorded 240 publicly disclosed incidents in the sector, which equates to 21% of all recorded breaches.
The healthcare sector isn’t inherently more vulnerable to breaches, but there is tighter regulatory pressure in the sector.
This is particularly true in the US, where personal information is protected by a patchwork of industry-specific federal laws and state legislation, whose scope and jurisdiction vary.
The healthcare sector is among the strictest, with the HIPAA (Health Insurance Portability and Accountability Act) mandating that a data breach must be reported within 60 days if it affects 500 or more people.
That’s still more lenient than the GDPR (General Data Protection Regulation), where any breach that poses a risk to people’s rights and freedoms must be disclosed within 72 hours, but it provides comparatively more transparency to the data protection landscape.
This is especially important, given that healthcare breaches may reveal more than just names and addresses, but also medical issues that can affect victims’ reputations.
2. Public sector
IT Governance recorded 205 data breaches in the public sector, which equates to 18% of all reported incidents.
It shouldn’t come as a surprise that public-sector organisations are popular targets for cyber criminals, given that they provide essential services and collect vast amounts of personal data.
Local government in particular has been under severe strain, with criminals favouring ransomware attacks designed to cripple administrative processes, including tax services, welfare systems and property maintenance.
There were also many instances of government employees inadvertently leaking data. One of the most common ways this happened was sensitive information being emailed to the wrong person.
Similarly, there were several cases where multiple people were Cc’d into an email, rather than Bcc’d, meaning everyone in the chain could see who else received the data.
3. Technology
IT Governance recorded 158 data breaches in the technology and media sector, which equates to 14% of all incidents.
Although the number of incidents was comparatively low, the extent of the damage per breach was astronomical. Those incidents accounted for 3.3 billion breached records, almost three times as many as the healthcare sector (1.2 billion).
This is perhaps to be expected, as organisations in the technology and media sector tend to collect a greater number of records on customers – which, depending on the nature of their business, may include location-tracking data, IP addresses and biometric data.
These kinds of details generally pose a lower risk than, say, financial or medical records, but they can still prove useful to attackers.
For example, an IP address is linked to a physical location, which helps criminals tailor their scam.
Organisations should also note that, with some details – such as biometric data – the threat is equally about the affected individual’s privacy as it is about the possibility of fraud.
4. Education
IT Governance recorded 157 data breaches in the education sector, which equates to 14% of all incidents.
However, these incidents were more extensive than the healthcare sector and public sector, which should be a big concern.
That’s because the majority of these records involved children’s data, which is subject to specific protections under the GDPR.
The most common cause of data breaches in schools was ransomware. Without the resources to adequately protect their systems, and with strong pressure to remain operational, schools faced a barrage of attacks in 2020.
5. Retail and leisure
IT Governance recorded 101 data breaches in the retail and leisure sector, which equates to 9% of all incidents.
Those incidents accounted for 592 million breached records, with incidents occurring in a variety of ways, befitting the broad nature of the sector.
Some of the larger disclosed incidents involved breaches of online stores, with criminal hackers gaining unauthorised access to personal and financial data.
Others were the result of vulnerabilities in booking systems, with sensitive information leaked online. Hotels, travel agencies and online services were among those that fell victim in this way.
How to secure your organisation
With security incidents on the rise and increased regulatory pressure to protect personal data, cyber security has never been more important – particularly for organisations in the sectors discussed here.
For many, the solution has been the international standard for information security management, ISO 27001.
By following its advice, you will develop a systematic approach to information security that enables you to achieve effective risk management in a simple way.

Find out how the Standard can help your organisation by downloading Cyber Security and ISO 27001 – Reducing your cyber risk.
This free green paper:
- Helps you understand the threat landscape;
- Explains ISO 27001 and its benefits; and
- Outlines our nine-step approach to ISO 27001 compliance.