The health care and retail sectors are particularly vulnerable to cybersecurity risks, according to a study released this week by security ratings provider BitSight. The study examined security performance across four different sectors between April 2013 and March 2014 to find quantifiable differences.
Companies receive scores between 250 and 900 from BitSight based on security performance, and the study produced average scores for companies in each sector. Financial services and utilities scored 765 and 751 respectively, faring much better than health care and retail with 660 and 685 respectively.
Companies included in the study were drawn from the S&P 500, so results for SMEs may differ.
The average event duration in the health care field was the longest at 5.3 days. The Wall Street Journal reported that a pair of health care companies scored the lowest of all those examined, at around 400. BitSight also observed a dramatic rise in the number of security incidents in the health care sector during the study period, as well as a less dramatic rise in retail.
The study also offers some guidance on how to improve scores.
“Based on our analysis, it is clear that organizations that treat cyber security as a strategic issue perform better than those that view it as a tactical one,” Stephen Boyer, BitSight co-founder and CTO said. “This partially explains the superior Security Ratings of financial institutions and electric utilities in the S&P 500 compared to retailers and healthcare companies.”
A study recently released by PricewaterhouseCoopers titled “2014 US State of Cybercrime Survey” also found that a lack of a strategic approach to cybersecurity spending is one of the deficiencies exhibited by companies in all sectors.
The North American health care cloud market is expected to reach $6.5 billion by 2018, but data breaches are estimated to cost the global industry as much as $5.6 billion annually.
The need for improved enterprise cybersecurity in general is well established, with a UK government report from last year encouraging companies to take the issue more seriously, and a recent Willis Group study indicating that some large retailers are not willing or able to comply with SEC cybersecurity disclosure requirements.