Industry Analysis Shows Cause for Concern in Security Effectiveness in Energy and Utilities Industry

Industry Analysis Shows Cause for Concern in Security Effectiveness in Energy and Utilities Industry

Annual Bitsight Insights Industry Analysis Report Rates Cyber Security Performance of Finance, Federal Government, Retail, Energy and Utilities, Healthcare and Education Industries

Bitsight Technologies, the standard in Security Ratings, today released the third annual Bitsight Insights Industry Benchmark report, which analyzed Security Ratings of nearly 10,000 organizations in six industries – finance, federal government, retail, energy and utilities, healthcare and education. The objective was to highlight quantifiable differences in security performance across industries from August 1, 2014 to August 1, 2015. The study revealed: challenging performance trends in the critical energy and utilities sector, the federal government (despite recent headlines) as a high performing industry second only to finance, and widespread POODLE and FREAK vulnerabilities across industries.

“There is no question that energy and utility systems are vulnerable and will be attacked. Organizations will never be able to protect against everything, but they need to continuously monitor their security posture in order to identify and mitigate issues before too much damage is done,” said Stephen Boyer, co-founder and CTO of Bitsight. "Benchmarking can also serve as a key indicator of security performance, allowing an organization to better understand their own posture, as well as that of the third parties with which they share their data. Given recent headlines that illustrate this security gap, we must look beyond our own companies and focus attention on those that access our information."

Bitsight uses publicly accessible data to rate companies’ security performance on a daily basis. Observed security events and configurations, such as communication with a botnet, malware distribution, and email server configuration, are assessed for severity, frequency and duration and used to generate objective Security Ratings. Bitsight Security Ratings range from 250 to 900, with higher ratings equating to higher security performance. Industry ratings are calculated using a simple average of the Bitsight Security Ratings of companies in that sector.

Key Findings

Energy and Utilities are performing lower than the Retail sector

  • Over the past year, Bitsight researchers noted a dip in the performance of Energy and Utility companies, with the average rating in this sector being 652.
  • This is higher than the healthcare sector, which averages a 634 rating, but is below the data-breach headline grabbing retail sector, which averages 684.

The Federal Government - currently in the spotlight in the wake of the Office of Personnel Management mega breach - is the second highest performing sector

  • Bitsight’s analysis of federal government entities shows that many are performing well when it comes to overall security performance.
  • The average rating for the federal government sector was 688, while the average rating for finance, the top performing industry, was 716.

While companies across all industries have mostly updated their servers to protect against Heartbleed, many have failed to act when it comes to POODLE and FREAK

  • The vulnerability rates for FREAK range from 30 percent in Finance to 75 percent in Education, meaning that at best, one in three finance organizations is vulnerable to FREAK.
  • 79 percent of federal government entities analyzed were vulnerable to POODLE and 90 percent of higher education institutions.

Year-over-year, leaders and laggards remain the same

  • Finance has consistently been the top performing industry in Bitsight’s industry benchmark reports. In this report, the average rating was 716, inline with the 712 rating a year earlier.
  • At the same time, education has consistently been the lowest performing industry, with a consistently low average rating of 554.

To download a full copy of the Bitsight Insights report, visit To download a ZIP file containing high resolution versions of the charts and graphs included in the report, click here.

About Bitsight Technologies

Bitsight Technologies is transforming how companies manage information security risk with objective, evidence-based security ratings. The company's Security Rating Platform continuously analyzes vast amounts of external data on security behaviors in order to help organizations manage third-party risk, benchmark performance, and assess and negotiate cyber insurance premiums. Based in Cambridge, MA, Bitsight is backed by the National Science Foundation, Globespan Capital Partners, Menlo Ventures, Flybridge Capital Partners, Comcast Ventures, Commonwealth Capital Ventures, and Liberty Global Ventures. For more information, please visit or follow @Bitsight on Twitter.