Why Some Industries Are Better at Security

By Karen A. Frenkel  |  Posted 06-27-2014 Email Print this article Print

A new study says the finance and utilities industries are the most secure, and that retail and health care lag in security effectiveness. The report, "Will Healthcare be the Next Retail?' by BitSights Technologies, analyzed security ratings for S&P 500 companies in these four industries from April 2013 through March 2014. "Based on our analysis, it is clear that organizations that treat cyber-security as a strategic issue perform better than those that view it as a tactical one," says Stephen Boyer, BitSight cofounder and CTO. "This partially explains the superior security ratings of financial institutions and electric utilities compared to retailers and health care companies." BitSight used publicly available data to rate companies' daily security performances, and observed security events and configurations like communication with a botnet, malware distribution, and e-mail server configuration. These were assessed for severity, frequency and duration to generate security ratings, which range from 250 to 900 points. For a copy of the BitSight Insights report (registration required), click here.

  • Security Ratings by Industry

    The finance industry consistently outperformed other sectors' security ratings. Average industry security rating: Finance: 765, Utilities: 751, Retail: 685 ,Health care and pharmaceuticals: 660
    Security Ratings by Industry
  • Number of Security Incidents Rises

    All industries experienced an increase in incidents, but the finance sector had the shortest average event duration, which demonstrates that these companies quickly detect and remediate such issues.
    Number of Security Incidents Rises
  • Strong Risk Management Culture Rewarded

    Finance companies have strong risk management cultures, in which cyber-security is part of business operations. Just having a CISO or comparable officer is not sufficient. When companies engage business partners, risk management and detailed security plans are selling points.
    Strong Risk Management Culture Rewarded
  • Finance Companies Do More Than Spend on Security

    Finance and utilities companies not only have larger cyber-security budgets than their peers in other industries, but they go well beyond government-mandated security measures and industry group recommendations.
    Finance Companies Do More Than Spend on Security
  • Regulations and Standards Also Elevate Scores

    The highly regulated utilities sector owes its very good scores to practices required by regulators. Utilities must: •Follow the guidelines and standards of the North American Electric Reliability Corporation Critical Infrastructure Protection, which require log monitoring 24/7 and annual vulnerability tests. •Have an internal computer incident response team. •Report issues to the Delicacy Sector Information Sharing and Analysis Center.
    Regulations and Standards Also Elevate Scores
  • Retail's Poor Performance Continues

    Retail declined in security performance with the number of security events increasing nearly 200% during the study interval. Retailers are scrambling to revamp their cyber-defense initiatives and many have announced new security-focused executives.
    Retail's Poor Performance Continues
  • Health Care and Pharmaceuticals Are at Risk

    Health care and pharmaceuticals saw the largest percentage increase in the number of security incidents with average event lasting longer than any other industry, at 5.3 days.
    Health Care and Pharmaceuticals Are at Risk
  • Medical Devices Vulnerable

    Weak encryption, a lack of key management, poor authentication and authorization protocols, and insecure communications threaten data confidentiality and integrity of medical devices in clinics and hospitals.
    Medical Devices Vulnerable
  • Health Care and Pharma Need Security Prescriptions

    This sector does not view cyber-security as a strategic business matter, as financial institutions and electric utilities do. It doesn't spend enough to protect data because cyber-security does receive enough executive-level attention.
    Health Care and Pharma Need Security Prescriptions
  • Recommendations

    Companies should use data to improve risk management. New initiatives and personnel are fine, but valuable metrics help track performance. Real-time security data from inside and outside of networks and better data processing tools can help organizations create evidence-driven risk models.
Karen A. Frenkel writes about technology and innovation and lives in New York City.


Submit a Comment

Loading Comments...
Thanks for your registration, follow us on our social networks to keep up-to-date