Today BitSight published our most recent BitSight Insights report, Beware the Botnets; Botnets Correlated to a Higher Likelihood of a Significant Breach. Within this report BitSight has identified a solid correlation between botnet infections and publicly disclosed breaches. To arrive at this finding, BitSight leveraged botnet grades that are available to all customers in the Security Ratings platform. These letter grades, which are available for a wide range of risk vectors, provide insight into a company’s performance relative to others. These grades also take into account factors such as frequency, severity, and duration (for events) as well as record quality, evaluated based on industry-standard criteria (for diligence).
By analyzing a statistically significant subset of companies, BitSight found that companies with a BitSight botnet grade of B or lower were more than twice as likely to experience a publicly disclosed data breach. Botnets are networks of computers that have been compromised or infected with malicious software and controlled as a group by an adversary without the owners’ knowledge. A botnet infection means that an attacker has obtained partial or complete administrative control of a system. Although a botnet compromise may not always equate to data loss, it invariably means that one or many protective controls have failed and that at least some data or system confidentiality, integrity, or availability is at risk. This finding has far reaching and important implications for security and risk professionals, as well as executives, for managing risks to the enterprise:
Vendor Risk Management: Risk managers and security teams can leverage this finding to communicate with vendors about the possibility of data loss in their information supply chain. It is also useful information when evaluating new vendors.
Benchmarking Security Performance: Businesses can easily benchmark this important metric against peers and industry averages. CISO’s can more readily talk about and answer questions about their organization’s risk of a breach compared to others.
Cyber Insurance: Underwriters are looking for actionable metrics to understand a company’s susceptibility to a breach. By analyzing botnet grades, insurers can become better informed of a company’s likelihood of a breach before underwriting a policy. They can also use this information to actively monitor their insureds.
Mergers & Acquisitions: Companies that are actively looking to acquire or merge with another company can leverage this information to assess the possibility of data loss events of a potential acquisition target.
This report also analyzed key findings of five major industry sectors: Finance, Retail, Healthcare, Utilities and Education. Echoing BitSight’s previous research on the topic, our analysis uncovered some major differences between industries in relation to botnet grades. Some key highlights:
Utilities was a poor performer with more than 52% of companies falling below the A threshold. Tasked with protecting the nation’s critical infrastructure, this finding is an important issue that should be addressed. In addition, BitSight has observed some complex and potentially harmful botnets targeting the industry.
Retail and Healthcare are middle of the pack performers, but are by no means secure. These two industries have been hit by major breaches in the past year, yet more than half of companies received A grades for botnet remediation.
Finance continues to be top performer, with 74% of companies gaining a grade of A. This is likely due to the industry’s focus on regulatory compliance and culture of awareness of cyber threats.
Education fails to make the grade, with a mere 23% of schools and universities earning an A. More than 33% of these institutions are failing (a grade of F), as this industry struggles with protecting campus and educational networks. This finding echoes our previous Insights report of college security performance.