Will Healthcare Be the Next Retail?

Sonali Shah | May 28, 2014

Today BitSight released a new BitSight Insights Report. Our objective in publishing these reports is to share findings from analysis conducted on the terabytes of security-incident data we gather on a daily basis. Due to our unique outside-in approach to measuring security performance, we are able to assess performance by company, industry and region without any intrusive testing. This latest BitSight Insights discusses the security performance of four industries - Finance, Utilities, Retail and Healthcare & Pharmaceuticals. We looked at the BitSight Security Ratings for companies in the S&P 500 Index that belong to these industries over a one year period (April 2013 to March 2014). BitSight Security Ratings (link to overview datasheet) are calculated daily and range from 250 to 900, with the higher rating representing a better security performance. Our findings may be surprising for some, and validation for others. Finance performed the best, followed closely by utilities. Retail rated third and healthcare and pharmaceuticals came in last.


Below is a brief summary of findings by industry.

Finance tops the list. The Security Rating for the finance industry was the highest of all of the industries analyzed, averaging 765 in March 2014. This industry had the shortest average event duration suggesting that this sector is quicker to detect and respond to cyber threats than others. Given the executive level focus on cyber security and associated large budgets to mitigate security risk, this finding comes as no surprise.

Utilities also shine bright. The average Security Rating for the utilities sector was 751 in March 2014. Like finance, the range of ratings within the utilities sector is relatively narrow, meaning the majority of companies are high performers. This certainly came as a surprise to many, given all the media attention on the need to improve the security of our critical infrastructure. However, according to cyber security experts in the utility sector, the largest utilities (particularly the ones in the S&P 500 Index) are quite diligent in managing cyber risk

Retail’s poor performance continues. Of the four industries, retail is the only one that ended the time period with a lower Security Rating than the beginning of the period. The average rating in March 2014 was 685. With all the recent breach announcements in this sector, Target, Neiman Marcus, Michaels and now Lowes, this finding comes as no surprise.

Healthcare and pharmaceuticals demonstrate signs of serious illness. Healthcare and pharmaceuticals saw an increase over the time period, but still came in last with an average Security Rating of 660 in March 2014. Like the retail sector, the spread in performance across the industry is large, implying that there are many companies that are seriously underperforming.

Suggested Posts

What Companies Using Cloud Services Need To Know About Their Risk Responsibilities

Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...


Joint Effort with Microsoft to Disrupt Massive Criminal Botnet Necurs

Since 2017 BitSight has been working together with Microsoft’s Digital Crimes Unit (DCU) to understand the inner workings of the Necurs malware, its botnets and command and control infrastructure in order to take disruptive action against...


Forecasting and Advanced Analytics: Building a Solid Security Strategy For 2020

2020 is not only the beginning of a new year, but the start of a new decade, and with it comes the dawn of a new era for the digital world. We’re now in the midst of the once far-off, “futuristic” time periods old books and movies used to...


Subscribe to get security news and updates in your inbox.