Why Some Industries Are Better at Security
The finance industry consistently outperformed other sectors’ security ratings. Average industry security rating: Finance: 765, Utilities: 751, Retail: 685 ,Health care and pharmaceuticals: 660
All industries experienced an increase in incidents, but the finance sector had the shortest average event duration, which demonstrates that these companies quickly detect and remediate such issues.
Finance companies have strong risk management cultures, in which cyber-security is part of business operations. Just having a CISO or comparable officer is not sufficient. When companies engage business partners, risk management and detailed security plans are selling points.
Finance and utilities companies not only have larger cyber-security budgets than their peers in other industries, but they go well beyond government-mandated security measures and industry group recommendations.
The highly regulated utilities sector owes its very good scores to practices required by regulators. Utilities must: •Follow the guidelines and standards of the North American Electric Reliability Corporation Critical Infrastructure Protection, which require log monitoring 24/7 and annual vulnerability tests. •Have an internal computer incident response team. •Report issues to the Delicacy Sector Information Sharing and Analysis Center.
Retail declined in security performance with the number of security events increasing nearly 200% during the study interval. Retailers are scrambling to revamp their cyber-defense initiatives and many have announced new security-focused executives.
Health care and pharmaceuticals saw the largest percentage increase in the number of security incidents with average event lasting longer than any other industry, at 5.3 days.
Weak encryption, a lack of key management, poor authentication and authorization protocols, and insecure communications threaten data confidentiality and integrity of medical devices in clinics and hospitals.
This sector does not view cyber-security as a strategic business matter, as financial institutions and electric utilities do. It doesn’t spend enough to protect data because cyber-security does receive enough executive-level attention.
Companies should use data to improve risk management. New initiatives and personnel are fine, but valuable metrics help track performance. Real-time security data from inside and outside of networks and better data processing tools can help organizations create evidence-driven risk models.