In the last 15 months, at least one out of every 20 Fortune 1,000 companies has experienced a publicly disclosed breach.
In a new study, BitSight researchers found that the rate of compromise among the 1,000 largest public companies is almost twice that of everyone else. This could be because their size and market caps make them targets more so than other companies; but also, BitSight found that a majority of Fortune 1,000 companies have at least one remote administration service running on an open port. This is a sign that many companies may be inadvertently allowing unauthorized access to machines.
Criminals are ramping up activity, too: In March, Bedep, a botnet resulting in actual machine compromise, was seen in one out of every five Fortune 1,000 companies; as of December 2016 it was seen in just one out of every 20.
“Understanding the security maturity of Fortune 1,000 companies provides greater context for any organization looking to benchmark their own performance,” said Stephen Boyer, co-founder and CTO of BitSight. “Moreover, this data can be used to better inform companies of the risks posed when sharing data or network access with Fortune 1,000 organizations.”
Using evidence of security incidents from networks around the world, the BitSight Security Ratings Platform applies sophisticated algorithms to produce daily security ratings for organizations, ranging from 250 to 900, where higher ratings equate to lower risk. Previous studies from BitSight, independently verified by third parties, show that companies with a Security Rating of 500 or lower are almost five times more likely to experience a publicly disclosed breach than companies with a Security Rating of 700 or higher. Studies also show that organizations with a higher frequency of botnet infections, actual system compromises, experience a higher likelihood of breach.
“A primary reason Fortune 1,000 companies have a lower median Security Rating is due to higher frequency of system compromise on their networks,” said Boyer. “Awareness of the incident detection and response practices of third-parties should factor into the process of screening new vendors.”
Fortune 1000 companies’ security performance has recently declined overall: 52 companies improved, while 103 companies experienced rating drops from October 2016 to January 2017.