Inside BitSight's Benchmark ReportWhich Industries Score Highest in the Annual Rankings? Information Security Media Group • October 6, 2015 15 Minutes
BitSight Technologies is out with its annual Industry Benchmark Report, and cybersecurity ratings are low for the energy and utilities industry. Conversely, the financial services industry and - surprisingly - government rate highly.
What is the difference between the low rankings and the high, and what can security leaders draw from this report? Mike Woodward, Program Director of Data at BitSight, weighs in with expert analysis.
"Overall, the report gives you insight into how the different industries are responding to the cybersecurity threats that they face," Woodward says.
One thing BitSight has learned in tracking these ratings over time: Industry ratings tend to be consistently the same. Which is both bad news and good.
"The bad thing is that industries that maybe have some challenges, frankly, are not responding to those challenges," he says. "The good thing is that industries which are good are managing to stay good.
"That level of consistency really surprised me," he says. "I thought with some of the more challenged industries we would see an uptick in the ratings, an uptick in their approach to security over the course of the year. But we didn't see that."
In an interview about BitSight's Industry Benchmark Report, Woodward discusses:
- Highlights and surprises from this year's report;
- Why government rates so high and energy so low;
- How cybersecurity leaders can put this report's findings to work.
Woodward is Program Director of Data at BitSight Technologies. He has over 20 years of experience analyzing a wide variety of data. He has worked for financial markets, semiconductors, radio communications, vehicles, and now, internet threats. He has substantial experience in computer modeling and data analytics, as well as several degrees from British and American universities. He has also published numerous articles and papers.
Which Industry Is the Most Secure?
FIELD: So as I said up top, the Annual Industry Benchmark Report is just out. What would you say are some of the key highlights you'd want to showcase for our audience today?
WOODWARD: Well, first, let me explain what this report is so I can give you some context for the highlights. So as a company, we see in-process Internet security data for tens of thousands of companies. We process a huge amount of Internet security data, and that's done every night. And from all of this security data -- it's all externally observed -- we produce ratings for companies, and we produce risk factors to support those ratings. Such things like events, like botnet infections, diligence data breaches, etc., etc. Now, from this huge data set, what we've done is we've grouped these companies together into industry groupings and worked out security data for the industries as a whole. So this gives you a sense of how industries are performing relative -- you know, to cybersecurity one against another.
So a couple of the highlights. The industry ranking -- ordering, with finance being the most secure. Federal government, surprisingly, just beats retail. Energy and utilities comes next, healthcare after that, and taking the tail-end spot is education. We also looked at SSL vulnerabilities and found those to be fairly widespread and that different industries have different rates of patching the various SSL vulnerabilities. So overall, the report gives you an insight into how different industries are responding to the cybersecurity threats that they affect.
FIELD: Now, Mike, I'm gonna come back and ask you about some of the specific industries as well as the SSL vulnerabilities. But let me just take a step back now. What would you say are some of the biggest surprises of this year's report?
WOODWARD: Okay. So there are a couple of things in the data the really cause me to take a step back and have a think. One of the personally -- the most surprising thing for me was how consistent industry schools are over time. So this isn't just a number that we worked out at a single point in time. We went back over a 12-month period. We had a look at the schools of industries over time. Now, it turns out, okay, there is some variability in the schools over the course of a year. Some industries go up; some of the industries goes down. But on the whole, industry performance is relatively consistent over time. Now, I think that's a bad thing and also a good thing as well. The bad thing is, the industries that maybe have some challenges frankly are not responding to those challenges. The good thing is industries which are good are managing to stay good. So that level of consistency really surprised me. I thought that with some of the more challenged industries, we would see like an uptake in the rating, an up take in their approach to security over the course of the year. But we didn't see that. Again, the federal government -- the fact that they scored so well was a surprise as well. And as you know, we've seen some fairly lurid headlines about government data breaches. To the fact they did well kind of surprising, but we looked into this, and we understand what they're doing. Healthcare, and energy, and utilities, they're not changing, and that surprised me as well. I mean, you know, we've seen the press coverage about energy and utilities, and the cybersecurity threats to those industries and also healthcare as well. We've seen a number of breaches in the healthcare industry. In both cases, I would have expected, over the course of a year, those industries' security to be up, taking as they can respond to the challenges they're very publicly facing. But unfortunately, that isn't happening.
Tactics That Improve Security Scores
FIELD: Well, Mike, let's talk about some of these surprises and some of these industries. Let's start with healthcare, energies, and utilities. As you point out, they rate particularly low. In your opinion, what are these industries overlooking?
WOODWARD: Okay. So the ratings on the whole are about what industries actually do and their effectiveness. So I'm aware that there are some industry levels initiatives in these industries to improve security, but frankly, we're not seeing the results. So it's worth reiterating that these security ratings are all about what companies are doing and the effect that it's having, right. So having lots of beatings, isn't actually going to improve your security score. We just don't see the effect of some of these industry organizations, that's all. So one of the things that we're seeing is that these systems, I think, are becoming more vulnerable as economic pressure to connect to the Internet...?
So think about energy and utility companies, for example. If you can offer remote monitoring, even remote control or substations or other pieces of infrastructure, this offers you economic benefit. But coming with that, as well, means you probably have to start really defending your infrastructure against cyberattacks. And that doesn't really seem to be happening here. Now, I'm gonna speculate a little here. I think that partly this might be some cultural issues. So, for example, the energy and utility industry, they're relatively slow moving technologically, and of course, that's very natural. They're used to long-term projects, long-term -- frankly, very large scale projects. Their systems have to function for a decade or more. But -- now, that mind set, you know, if you contrast that with a kind of cyber threats, cyber threats are probably one of the fastest moving areas out there.
So what we've got is a relatively slow-moving defender moving against the fast-moving attacker. So that may be some of the issues that we're seeing. Now, it also may be the case -- I see the infrastructure is possibly traditionally in these industries, and energy, and utilities, and healthcare may not have been top-of-mind for quite some time. So it could be that there's these kind of cultural specific industry issues, which are really kind of working negatively against these companies improving their ratings and improving their security posture.
Securing Where the Money Is
FIELD: Mike, let's take a look at the flip side, financial services and government. As you said, they're doing particularly well. What can other industries learn from these sectors?
WOODWARD: Ah. Well, let's talk about finance for a minute. So there's a famous bank robber, called Willie Sutton, who has a quote, who said -- you know, he was asked why did he rob banks, and he said, "Because it's where the money is." So the finance industry is obviously -- it's where the money is. These guys know that they're under attack. And when you look at their data, we see that they get infected with botnet at a lower rate than other industries, and that's really kind of implying that they have better security. They're paying more for better software, better hardware to protect against attacks. But when they do get attacked, they actually respond to the infections very quickly. So if you look at the remediation time to fix things like botnet infections, the financing industry's doing extremely well. They're very fast to fix these issues.
They also tend to be very good at diligence issues as well, and that seems like SPS, SSL, Beacon, and a whole range of different diligent activities you can undertake. If you look at the finance industry, on the whole they do very well. So, again, why would that be the case? And I -- again, I think it's probably a kind of cultural thing here. Now, remember that finances and industries technically are very fast-moving. They're very willing to take onboard new technologies. They have a look at all kind of aspects of finance. They're really very fast on the uptake in some things. Frankly also, they're willing to spend money, and they've got the money to spend as well. So they've got the inclination to do something very quickly. They wouldn't just spend the money, and, of course, they've got the various resources of people with resources to do it. Again, I feel here that you've got a relatively fast-moving attacker against a fast-moving defender. And that, I think, is one of the reasons why we see finance doing so well.
As for government, well, bear in mind that government also knows that it's attacking -- that it's being attacked. One of the challenges they face -- there are obviously overseas attackers hacking away at government infrastructure, and that's been known about for some time. Again, if you look at government results in more detail, it turns out the government is very good at the diligence measures and actually responding to events as well. And we do know that the government is buying IGT software, again, to protect against attack. So I think -- there's been a lot of publicity about one particular breach -- one particular government agency. But the U.S. Federal Government isn't one agency; it's multiple agencies. And it's like a -- I'll give you a sporting analogy here. It's possible to have a sports team where maybe one player does badly, but the team overall scores very well. And I think this is a case -- an industry level with that same kind of idea.
Why the Education Sector Fails in Security
FIELD: Mike, one more industry I want to ask you about, and that's education. Why, in particular, is education performing so poorly?
WOODWARD: If you think about, you know, the university network, largely what you're doing is you're creating this very public, very open network, and inviting in a group of 18-, 19-year-old kids who have no security at all on their machines and have sometimes, you know - basically -- should we say a flexible approach to issues like copyright. So you're putting some of the most uncontrolled users on a large scale network often patrolled and enforced with very little resources. So I think universities have a pretty much unique challenge. Often, there's not much of a sanction as well that they can do against offenders unless it's particularly egregious. So I think universities are in a very tough position in terms of improving their security performance.
But one of the things that we have noticed -- and it's in a previous study we saw this -- the industries that have taken extra measures, for example, hiring CISOs and building cybersecurity teams, those industries tend to score more highly than other industries as well. Okay. So again, those industries that are really investing in security, we are actually seeing the effect on their security posture through the ratings.
Avoiding Man in the Middle Attacks
FIELD: Mike, a few minutes ago you talked about SSL vulnerabilities. What do you find to be the significance of these vulnerabilities in the report?
WOODWARD: Okay. So I think there are two pieces here. So bear in mind SSL is a means of securing communication between the client and the server, right? And the idea here is that it prevents the man-in-the-middle attacks. In other words, it prevents an eavesdropper from listening in on the transaction. And maybe, you know, a client and a server exchange bank details. The man in the middle can hear that and possibly rob you, basically. So the obvious piece about not patching these SSL vulnerabilities is that you're leaving this communications channel open to the communications to be captured and decoded. So that's the obvious vulnerability, right? That leaves you and the people that you're communicating with over the Internet in a position of vulnerability, and that's a bad thing. But more than that, I think there's a deeper issue here. So bear in mind what SSL vulnerabilities are and how they're resolved. So these are well publicized vulnerabilities, very well known in the community. There are patches for them. So what you can do is, if you know that you have the system that has these SSL vulnerabilities, you can patch the software from either an open source or basically a publish -- a software publisher. Right? These fixes are widely available. So that's something that's under the control of a company itself. So the deeper issue for me is, when it's possible to patch these systems to get rid of these vulnerabilities, why aren't companies doing it? Now, I'm aware in some cases there are larger issues because, you know, these patches themselves have, maybe, knock-on effects, and that can be a case for some of the larger companies.
But stop and think for a minute. If somebody tells you that your house is insecure and they make available to you locks -- that are locks at no charge -- wouldn't you want to put those locks on your house? And I think this is an issue here that we see that companies are just aren't responding to some of the threats that are made against them right through the infrastructure. They're not responding to these threats by patching their software, and that's entirely within their control. So really that's one of the things I see as an important fact here. It's not just the fact that it's a vulnerability, it just shows a kind of attitude in the industry or industries about patching software.
Ways to Leverage BitSight's Industry Benchmark Report
FIELD: Mike, a final question for you. As you know, we've got audience members that span industries and sizes of organizations. How should they use the BitSight Industry Benchmark Report to benchmark themselves and then improve their own organization's cybersecurity?
WOODWARD: Okay. So let's think for a second about the consequences of the breach. So imagine, for example, that you have a healthcare vendor that's providing healthcare to your employees, and there's a breach. And this isn't a theoretical case. This is -- as you know, these have happened -- a number of these instances have happened through the year. So imagine how you would feel if you were explaining to your employees that their most intimate healthcare details were on sale on the web to the highest bidder? So think about that. So do you want to do business with companies that, basically, have those vulnerabilities? Now, these things have happened. So I know that cybersecurity's not the only factor that people consider when they decide who they should do business with. But it really ought to be one of the factors, especially if you're dealing with people -- personally identifiable information. So using these kinds of security ratings, you can get a sense of who's performing well and who's performing badly.
Now, I've spoken about industries here and I've said, you know, finance is doing well, I said healthcare is not doing quite so well. But the reality is -- and this data is in the report -- there are [indiscernible] results within an industry. So for example, there are some extremely high-performing healthcare companies, but also some healthcare companies that are performing extremely poorly. Now, you can imagine if you talk to the salesperson at a healthcare company, say, "Are you cybersecure?" Of course they're gonna say, yes. Right? But the question is, are they? So you can use these cybersecurity ratings as an independent check on which of your vendors are being secure and which ones are perhaps less secure. Or we know people who've used this approach to basically make a decision to discontinue business with certain very insecure vendors and passed the business to other vendors who are more secure.
So this report will give you a 30,000-foot view of what's going on. In this report, we deliberately don't name companies. Now, I think -- and I think the companies think -- that naming and shaming is not a good tactic. It also signals to hackers who is weak, and that's not a good thing to do, right? It just doesn't seem ethical to say, "Well, hackers, you should go and target these guys, because the security is not so great." So the report really has an overview of industries. If you want the individual ratings data for your vendors, then come and talk to us, and we can have an informed conversation. But you could also use this kind of data as well to rate yourself. So you think that you're doing well security-wise, but are you? What's the independent check that you have that you're actually doing all the things that you need to, to become more secure?
And that's one of the other things that companies are using these cybersecurity ratings for: They're benchmarking themselves. And they're finding where they're weak and actually doing something about it. So individual benchmarking data won't be found in this report for the same reason that we just don't release the ratings of companies publically, but at industry level we do. So what you could do is take this report, have a look through it, decide what it says about the industries, and the industries that are relative to you, and then maybe come and have a chat with us if you think there's something there.