Today BitSight released a new BitSight Insights Report. Our objective in publishing these reports is to share findings from analysis conducted on the terabytes of security-incident data we gather on a daily basis. Due to our unique outside-in approach to measuring security performance, we are able to assess performance by company, industry and region without any intrusive testing. This latest BitSight Insights discusses the security performance of four industries - Finance, Utilities, Retail and Healthcare & Pharmaceuticals. We looked at the BitSight Security Ratings for companies in the S&P 500 Index that belong to these industries over a one year period (April 2013 to March 2014). BitSight Security Ratings (link to overview datasheet) are calculated daily and range from 250 to 900, with the higher rating representing a better security performance. Our findings may be surprising for some, and validation for others. Finance performed the best, followed closely by utilities. Retail rated third and healthcare and pharmaceuticals came in last.
Below is a brief summary of findings by industry.
Finance tops the list. The Security Rating for the finance industry was the highest of all of the industries analyzed, averaging 765 in March 2014. This industry had the shortest average event duration suggesting that this sector is quicker to detect and respond to cyber threats than others. Given the executive level focus on cyber security and associated large budgets to mitigate security risk, this finding comes as no surprise.
Utilities also shine bright. The average Security Rating for the utilities sector was 751 in March 2014. Like finance, the range of ratings within the utilities sector is relatively narrow, meaning the majority of companies are high performers. This certainly came as a surprise to many, given all the media attention on the need to improve the security of our critical infrastructure. However, according to cyber security experts in the utility sector, the largest utilities (particularly the ones in the S&P 500 Index) are quite diligent in managing cyber risk
Retail’s poor performance continues. Of the four industries, retail is the only one that ended the time period with a lower Security Rating than the beginning of the period. The average rating in March 2014 was 685. With all the recent breach announcements in this sector, Target, Neiman Marcus, Michaels and now Lowes, this finding comes as no surprise.
Healthcare and pharmaceuticals demonstrate signs of serious illness. Healthcare and pharmaceuticals saw an increase over the time period, but still came in last with an average Security Rating of 660 in March 2014. Like the retail sector, the spread in performance across the industry is large, implying that there are many companies that are seriously underperforming.