Technology companies — along with their partner ecosystems — are some of the most targeted organizations when it comes to cyber-attacks. In 2018, enterprises invested an average of 3.5 million on cloud apps, platforms, and services — making the sensitive information held in those platforms a top target for hackers.
Given the business world’s increasing digital transformation and reliance on the cloud, technology companies are most often critical vendors, storing and handling sensitive data (personally identifiable information, intellectual property) for their customers. As one of the industries that experience the most public breaches, it is imperative they continuously monitor and assess the ongoing performance of their own organization’s security posture.
As one of the most critical vendors in the business world, many organizations rely on Microsoft’s technology for their day-to-day operations. This past May, Microsoft discovered a software security vulnerability, BlueKeep, that could ultimately lead to one of the worst cybersecurity attacks since 2017’s infamous WannaCry ransomware incident. The Remote Desktop Services Protocol (RDP) vulnerability is so potentially dangerous that both Microsoft and the National Security Agency (NSA) have issued advisories about its existence.
Playing the role of critical vendor mandates that technology companies like Microsoft invest in managing their security performance. A 2018 BitSight report found that at least one-third of all major industries are dependent on one of the top five cloud hosting providers. Knowing this, it’s imperative that technology companies continuously assess their own security posture to ensure the cybersecurity of the millions of businesses worldwide that depend on their services.
How Does Technology Measure Up Against Other Industries?
BitSight’s data science team took a closer look at the security performance of organizations in the technology sector (all data as of June 1, 2019). It should be noted that companies in the following subindustries are included under the classification of “technology” companies: computer hardware, computer software, computer networking, internet, semiconductors, biotechnology, consumer electronics, information technology and services, computer games, wireless, and computer and network security.
The image below shows the breakdown of BitSight Security Ratings for each subindustry within the technology sector. Based on the terabytes of data collected by BitSight about security performance, we observe that:
Almost 50% of the companies in the technology industry have a BitSight Security Rating in the advanced category (740 and above), with a smaller percentage of companies with ratings in the Basic category (below 640). As a sector, Technology’s security performance falls about on par with Healthcare, Retail, and Utilities (Exhibit A).
- Nearly 8% of tech companies had one or more malware infections within the last three months (see Exhibit B). BitSight research has shown that a higher rate of infection correlates with a higher likelihood of a breach. More specifically, companies with a BitSight botnet grade of B or lower are more than twice as likely to experience a publicly disclosed data breach.
- Diligence performance metrics show 49% of tech organizations with at least one vulnerable service (see Exhibit C) and 52% with at least one out-of-date system (see Exhibit D). The presence of out-of-date or unsupported devices can lead to system failure, business disruption, or allow attackers to gain system access. As indicated here, the significant number of organizations that still have risky services and out-of-date systems presents a real concern.
- This sector has some of the higher adoption of email validation (see Exhibit E) among all of the sectors tracked by BitSight, with over 60% of tech companies using either SPF or DKIM across all of their email servers. SPF and DKIM, two authentication mechanisms that validate email is not forged, allow mail readers to check if the mail was really sent from the “From” domain (Gmail does this, for example), which helps to spot spam and phishing emails.
- 5% of tech companies are still exposed to the recently announced BlueKeep vulnerability. As previously mentioned, this vulnerability, if exploited by an external attacker, will lead to full system compromise, without requiring any form of authentication or user interaction. According to BitSight research, the tech sector is the third-worst performing sector when it comes to patching this critical vulnerability.
As a critical vendor to so many organizations, tech companies need an effective method for gaining visibility into the security posture of their business. Organizations need a way to model different scenarios and remediation strategies in order to forecast future security performance. Security ratings deliver a continuous, data-driven measurement of security performance, enabling security and risk leaders to compare performance with their industry peers and competitors, identify direct paths to cyber risk reduction, and ultimately report that performance to their Executive team and Board.
Ultimately, security ratings allow the technology industry— one that plays a role as a critical vendor to so many businesses around the globe— to accurately assess cyber threats within their business ecosystem.
This content was produced by Marc Light in conjunction with John Burger and Shrinath Patel from the BitSight Data Science Team.