Despite the data breach headlines, it turns out that the energy and utilities sector is performing lower than the retail vertical.
Over the past year, BitSight researchers noted a dip in the performance of energy and utility companies, which have an average rating of 652 in the third annual BitSight Insights Industry Benchmark report. The ratings range from 250 to 900, with higher ratings equating to higher security performance based on observed security events and configurations, such as botnet communication, malware distribution and email server configuration.
Energy and utilities have a higher rating than the healthcare sector, which averages 634, but come in below the news-magnet retail sector, which averages 684.
“There is no question that energy and utility systems are vulnerable and will be attacked,” said Stephen Boyer, co-founder and CTO of BitSight. “Organizations will never be able to protect against everything, but they need to continuously monitor their security posture in order to identify and mitigate issues before too much damage is done."
The federal government, which is currently in the spotlight in the wake of the Office of Personnel Management mega-breach, is the second highest performing sector, with an average rating of 688. Finance was the top performing industry, with a 716 rating. There’s no surprise in this last finding—it’s in line with the vertical’s 712 rating a year earlier, and its reputation for being out ahead on security.
At the same time, education has consistently been the lowest performing industry, with a steady low average rating of 554.
BitSight also found widespread POODLE and FREAK vulnerabilities across industries. While companies across all industries have mostly updated their servers to protect against Heartbleed, many have failed to act when it comes to these other big-name flaws. The vulnerability rates for FREAK range from 30% in finance to a whopping 75% in education.
Also worrying: 79% of federal government entities analyzed were vulnerable to POODLE, and 90% of higher-education institutions.
“Benchmarking can…serve as a key indicator of security performance, allowing an organization to better understand their own posture, as well as that of the third parties with which they share their data,” Boyer said. “Given recent headlines that illustrate this security gap, we must look beyond our own companies and focus attention on those that access our information."