Quantifiable differences in security performance across industries

BitSight Technologies analyzed Security Ratings of nearly 10,000 organizations in six industries – finance, federal government, retail, energy and utilities, healthcare and education. The objective was to highlight quantifiable differences in security performance across industries from August 1, 2014 to August 1, 2015.

The study revealed: challenging performance trends in the critical energy and utilities sector, the federal government (despite recent headlines) as a high performing industry second only to finance, and widespread POODLE and FREAK vulnerabilities across industries.

BitSight uses publicly accessible data to rate companies’ security performance on a daily basis. Observed security events and configurations, such as communication with a botnet, malware distribution, and email server configuration, are assessed for severity, frequency and duration and used to generate objective Security Ratings.

BitSight Security Ratings range from 250 to 900, with higher ratings equating to higher security performance. Industry ratings are calculated using a simple average of the BitSight Security Ratings of companies in that sector.

Energy and Utilities are performing lower than the Retail sector:

• Over the past year, researchers noted a dip in the performance of Energy and Utility companies, with the average rating in this sector being 652.
• This is higher than the healthcare sector, which averages a 634 rating, but below the data-breach headline grabbing retail sector, which averages 684.

The Federal Government – currently in the spotlight in the wake of the OPM mega breach – is the second highest performing sector:

• BitSight’s analysis of federal government entities shows that many are performing well when it comes to overall security performance.
• The average rating for the federal government sector was 688, while the average rating for finance, the top performing industry, was 716.

While companies across all industries have mostly updated their servers to protect against Heartbleed, many have failed to act when it comes to POODLE and FREAK:

• The vulnerability rates for FREAK range from 30 percent in Finance to 75 percent in Education, meaning that at best, one in three finance organizations is vulnerable to FREAK.
• 79 percent of federal government entities analyzed were vulnerable to POODLE and 90 percent of higher education institutions.

Year-over-year, leaders and laggards remain the same:

• Finance has consistently been the top performing industry in BitSight’s industry benchmark reports. In this report, the average rating was 716, inline with the 712 rating a year earlier.
• At the same time, education has consistently been the lowest performing industry, with a consistently low average rating of 554.