Major data breaches at Target and Neiman Marcus last year put the spotlight on how poorly retailers guard sensitive information from cyber thieves. Yet health-care and pharmaceutical companies rate even worse than retailers in terms of security performance, according to a new analysis of Standard & Poor’s 500-stock index companies by BitSight Technologies.
The Cambridge (Mass.)-based firm compared the performance of finance, utilities, retail, and health industry groups within the S&P 500 from April 2013 through March 2014. Overall, health-care companies scored lowest, at about 660 on a scale of 250 to 900, with low numbers reflecting poor security practices. Not only did that sector have the most security problems, but the companies took the longest to fix the problems—on average 5.3 days, according to the report.
BitSight collects Internet traffic flowing to and from tens of thousands of companies, analyses signs of network compromise—such as communications with spam networks or servers known to be controlled by hackers and criminals—and translates it all into a risk score. It’s something like a credit rating for cybersecurity.
The single worst performer in the S&P 500, which BitSight declined to name, was a health-care company that rated 410. If that were a credit score, it would take multiple bankruptcies to sink so low, says Stephen Boyer, chief technology officer at BitSight. “To see it below retail—having seen what we’ve witnessed in retail over the last six to nine months—we thought that was pretty sobering,” he adds. “They’re failing to do even some of the basic level protections.”
For example, companies in the health-care sector had the highest percentages of infection with the Conficker worm, a piece of malicious software that’s been around a long time, is well understood, and is relatively easy to clean up. In other words, companies that have good security practices shouldn’t have it in their networks, according to Boyer.
Digital thieves have every reason to gun for health-care companies. As Boyer points out, data from unwary companies can be used to obtain medical care or get prescriptions, and it commands a high price on the black market.
The financial sector scored best among the four S&P 500 industry groups, with an average of 765, followed by utilities at 751. Retailers, with an average rating of 685, faced an almost 200 percent rise in the number of security incidents or external indicators of network compromise.
Attention to cybersecurity by top management is one of the key differences in better performance, Bitsight found. At “the high-performing organizations, it is an executive-level issue,” says Boyer. “What we’ve seen in financial services is they have a culture of risk management. They’ve been managing fraud for quite some time. It’s money to them.”