Latest BitSight Insights Report Highlights the Importance of Continuous, Third Party Cyber Risk Assessment When Doing Business with the Fortune 1000
BitSight, the Standard in Security Ratings, today released a new report titled, “How Secure Are America’s Largest Business Partners? Rating The Cybersecurity Performance of the Fortune 1000,” which analyzed the security posture of some of the world’s largest organizations. Leveraging the BitSight Security Ratings Platform that generates objective, outside-in ratings, the report presents data on the cybersecurity performance of Fortune 1000 companies, identifies the most common system compromises, and outlines recommendations for improvement. For comparison, Fortune 1000 companies were studied alongside a random sample of 2,500 companies with a similar industry breakdown and with at least 2,500 employees.
“Understanding the security maturity of Fortune 1000 companies provides greater context for any organization looking to benchmark their own performance,” said Stephen Boyer, co-founder and CTO of BitSight. “Moreover, this data can be used to better inform companies of the risks posed when sharing data or network access with Fortune 1000 organizations. For example, a primary reason Fortune 1000 companies have a lower median Security Rating is due to higher frequency of system compromise on their networks. Awareness of the incident detection and response practices of third-parties should factor into the process of screening new vendors.”
Using evidence of security incidents from networks around the world, the BitSight Security Ratings Platform applies sophisticated algorithms to produce daily security ratings for organizations, ranging from 250 to 900, where higher ratings equate to lower risk. Previous studies from BitSight, independently verified by third parties, show that companies with a Security Rating of 500 or lower are almost five times more likely to experience a publicly disclosed breach than companies with a Security Rating of 700 or higher. Studies also show that organizations with a higher frequency of botnet infections, actual system compromises, experience a higher likelihood of breach.
- In the last 15 months, BitSight researchers found that at least one out of every 20 Fortune 1000 companies has experienced a publicly disclosed breach.
- A majority of Fortune 1000 companies have at least one remote administration service running on an open port; a sign that many companies may be inadvertently allowing unauthorized access to machines.
- In March, Bedep, a botnet resulting in actual machine compromise, was seen in one out of every five Fortune 1000 companies; as of December 2016 it was seen in just one out of every 20.
- Fortune 1000 companies’ security performance has recently declined overall: 52 companies improved, while 103 companies experienced rating drops from October 2016 to January 2017