New Cyber Security Ratings Research Reveals Botnet Activity Correlates to a Higher Likelihood of a Significant Data Breach

Bitsight Insights Report Shows Companies with a Bitsight Botnet Grade of ‘B’ or Lower are More Than Twice as Likely to Experience a Publicly Disclosed Data Breach

Bitsight Technologies, the standard in Security Ratings, today released a new Bitsight Insights report titled, “Beware the Botnets: Botnets Correlated to a Higher Likelihood of a Significant Breach,” which examines the link between botnets and publicly disclosed data breaches in various industries from March 2014 through March 2015. The study concentrated on publicly disclosed breaches because these have the greatest impact to organizations in terms of personally identifiable information (PII) loss, subsequent customer notification, forensic investigation and reputation damage. 

“The implications for organizations across industries are that botnet infections cannot be ignored. Companies with lower botnet grades are clearly at greater risk for a publicly disclosed breach than those with the highest grade,” said Stephen Boyer, co-founder and CTO of Bitsight. “Bitsight botnet grades, which are a component of the top-level Bitsight Security Rating, can serve as a key metric for executives, board members, insurers, and security and risk teams that are actively looking to understand the risk for a public data breach for themselves, their insureds, or their vendors.”

This correlation provides important insight that can be leveraged for the following initiatives, as organizations look to better prioritize areas of focus to address the most critical risks:

  • Benchmarking an organization against peers
  • Vendor risk assessment and engagement
  • Cyber underwriting decision making
  • M&A due diligence

For the report, Bitsight examined the ratings and risk vectors of 6,273 companies with 1,000 or more employees, of which 199 (3.3 percent) had experienced at least one recent publicly disclosed breach. Bitsight Security Ratings range between 250 and 900, with higher ratings indicating better performance. These ratings are comprised of risk vectors, which include security events (observed compromises on a company’s network) and diligence risk vectors (steps a company has taken to prevent attacks). For each risk vector, an overall letter grade (A-F) is assigned, indicating the company’s performance relative to others. The grade takes into account factors such as frequency, severity, and duration (for events) as well as record quality, evaluated based on industry-standard criteria (for diligence). 

Key Findings 

  • Overall - The companies analyzed were divided into two groups -- those which had suffered publicly disclosed breaches, and those which had not. Among companies with botnet grades of A, the percentage having breaches was 1.7 percent; for those with a B or lower, the incidence was 3.7 percent. Thus, within this data set, companies with a botnet grade of B or lower experienced a publicly disclosed breach more than twice as often (2.2 times) than those with A’s. 
  • Utilities – With more than 52 percent of companies experiencing a botnet grade of B or lower, and critical infrastructure at stake, the data surrounding the utilities industry has probabilistic indications that should not be ignored. One particularly malicious botnet observed in utility companies is TDSS, widely considered one of the largest and most complex botnets on the planet. Another botnet observed here, but less frequently among other industries, is Carufax, a Trojan program, which is designed to steal personal data and information.
  • Retail - The retail industry has had its fair share of high profile breaches over the past two years, nevertheless, a large portion of the breaches in this sample came from FOIA (Freedom of Information Act) requests – meaning that many breaches never make headlines. Fifty-seven percent of retailers fall within the A category, meaning they are significantly less likely to be breached. This does not mean that the industry is safe; with 43 percent of companies under the ‘A’ threshold in an industry targeted for valuable credit card information, many retailers are vulnerable to attack. Top Botnets affecting this industry include Zeus, Dipverdle, and ZeroAccess.
  • Healthcare - Also struggling in recent months with breaches that hit major organizations like Anthem and Premera Health, when it comes to mitigating botnet infections, only 52 percent of these organizations are earning an A grade. In a previous report, Bitsight found that many healthcare organizations were struggling with cleaning up infections on their networks. This most recent analysis confirms that finding, with Zeus, Cutwail, and Viknok being the most common botnets affecting the industry. The fact that Viknok can be used to gain elevated operating system privileges, which can lead to theft of sensitive information, is concerning given the sensitivity of patient data.
  • Financial Services - Seventy-four percent of finance firms in this sample had an A grade. This signifies that financial firms are quick to address existing infections on their network and are more effective at preventing new infections. That said, major infections within the Finance industry included Zeus, Sality and Viknok.
  • Education – In this industry, which includes educational companies, schools and colleges, less than 23 percent have an A grade while more than 33 percent have an F. Last year’s “Powerhouses and Benchwarmers” Bitsight Insight report found that many higher education institutions were struggling with a large volume of infections. This was in part due to unique challenges faced by colleges, such as a multitude of access points and devices running on college networks and a lack of security-focused leadership. Echoing earlier research, the breakdown of observed botnets highlights the pervasiveness of Jadtre and Flashback.

To provide companies with insight into their security performance, Bitsight is offering free demos of their Security Ratings product along with a Security Rating and botnet grade. For more information or to register, visit

To download a full copy of the Bitsight Insights report, visit