Why Some Industries Are Better at Security

Why Some Industries Are Better at Security

Security Ratings by Industry

The finance industry consistently outperformed other sectors’ security ratings. Average industry security rating: Finance: 765, Utilities: 751, Retail: 685 ,Health care and pharmaceuticals: 660

Number of Security Incidents Rises

All industries experienced an increase in incidents, but the finance sector had the shortest average event duration, which demonstrates that these companies quickly detect and remediate such issues.

Strong Risk Management Culture Rewarded

Finance companies have strong risk management cultures, in which cyber-security is part of business operations. Just having a CISO or comparable officer is not sufficient. When companies engage business partners, risk management and detailed security plans are selling points.

Finance Companies Do More Than Spend on Security

Finance and utilities companies not only have larger cyber-security budgets than their peers in other industries, but they go well beyond government-mandated security measures and industry group recommendations.

Regulations and Standards Also Elevate Scores

The highly regulated utilities sector owes its very good scores to practices required by regulators. Utilities must: •Follow the guidelines and standards of the North American Electric Reliability Corporation Critical Infrastructure Protection, which require log monitoring 24/7 and annual vulnerability tests. •Have an internal computer incident response team. •Report issues to the Delicacy Sector Information Sharing and Analysis Center.

Retail’s Poor Performance Continues

Retail declined in security performance with the number of security events increasing nearly 200% during the study interval. Retailers are scrambling to revamp their cyber-defense initiatives and many have announced new security-focused executives.

Health Care and Pharmaceuticals Are at Risk

Health care and pharmaceuticals saw the largest percentage increase in the number of security incidents with average event lasting longer than any other industry, at 5.3 days.

Medical Devices Vulnerable

Weak encryption, a lack of key management, poor authentication and authorization protocols, and insecure communications threaten data confidentiality and integrity of medical devices in clinics and hospitals.

Health Care and Pharma Need Security Prescriptions

This sector does not view cyber-security as a strategic business matter, as financial institutions and electric utilities do. It doesn’t spend enough to protect data because cyber-security does receive enough executive-level attention.

Recommendations

Companies should use data to improve risk management. New initiatives and personnel are fine, but valuable metrics help track performance. Real-time security data from inside and outside of networks and better data processing tools can help organizations create evidence-driven risk models.