Fourth Annual BitSight Insights Industry Index Report Analyzes Security Ratings of Organizations in Six Key Sectors, Highlighting Risks Associated with Third-Party Service Providers

BitSight, the Standard in Security Ratings, today released its fourth annual BitSight Insights Industry Benchmark report, which analyzed the Security Ratings of more than 20,000 organizations in six industries – Finance, Legal, Healthcare, Retail, Government and Energy. The objective was to highlight quantifiable differences in security performance across industries from the past 12 months and identify areas of cybersecurity risks. In particular, the report explores how the cybersecurity posture of the Legal sector has changed over time and why its security performance is of paramount importance.

“Legal service providers have access to a company’s intellectual property, financials, strategic plans, and private employee information. In addition, law firms are one of the most widely-used third party service providers across the world. The impact of a breach on a law firm could be severe for not only the firm, but also their hundreds of clients,” said Stephen Boyer, co-founder and CTO of BitSight. “Legal firms, as a sector, are performing in line with the retail industry, which, as we have seen in the headlines, have been and continue to be targeted by attackers. In 2017, we expect to see more attacks on legal service providers, fueled by the desire to acquire sensitive data and to attack the firm’s clients. Companies cannot neglect legal services providers in the efforts to continuously monitor the security performance of their third party ecosystem.”

The BitSight Security Ratings Platform generates objective, outside-in ratings on companies’ security performance. Using evidence of security outcomes from networks around the world, BitSight applies sophisticated algorithms to produce daily security ratings ranging from 250 to 900, where higher ratings equate to lower risk. With comprehensive insight into the ever-changing security posture of their vendors, companies use BitSight to take a proactive approach to risk management by focusing on the vendors and security issues that pose the most immediate risk.q4-bitsight-insights-pr-graph.png

Key Findings

  • The Legal sector had the second highest percentage of companies with a security rating of 700 or higher, only trailing Finance and in-line with Retail.
  • More than 60 percent of organizations examined from the Legal sector are exposed to DROWN, a major communications protocol vulnerability, specifically affecting the SSL/TLS protocol.
  • Bedep is the most common machine compromise across all industries examined. Government, Energy/Utilities, and Healthcare sectors saw the highest rates of this botnet.
  • Nearly 80 percent of organizations across all industries examined are exposed to Logjam or POODLE, both of which are major communications protocol vulnerabilities, again specifically affecting the SSL/TLS protocol.

Previous studies from BitSight, independently verified by third parties, show that companies with a security rating of 500 or lower are almost five times more likely to experience a publicly disclosed breach than companies with a security rating of 700 or higher. As part of this year’s Industry Index Report, researchers examined whether companies moved into this cybersecurity risk zone of 500 or lower over the last six months and found that Government and Energy/Utilities were the only two industries where the number of companies in this zone increased, indicating poor cybersecurity performance in these sectors.

To download a full copy of the BitSight Insights report, including recommendations based on the findings, visit http://bitsig.ht/2fUra7j.