How secure is the data at America's Fortune 1000 organizations?
Recent cyberattacks have shed light on the fact that no device, company or nation, large or small, can defend against all attacks. Last year was a perfect example of the challenges organizations face: a record number of breaches occurred, and while some incidents resulted in relatively few records lost, other breaches brought about mass data loss never seen before.
With increasing budgets and a greater number of resources being dedicated to security, do America’s largest organizations fair better than their corporate counterparts? Or when it comes to cybersecurity, is it an even playing field?
Fortune 1000 companies are critical to the supply chains of many organizations, so understanding their security performance is extremely important.
BitSight, which rates the security preparedness of organizations, recently set out to understand the security posture for some of the world’s largest organizations. To do this, researchers measured the security performance of Fortune 1000 companies. For comparison, these companies were studied alongside a random sample of 2,500 companies with a similar industry breakdown.
Here are some of the key findings:
At least one out of every 20 Fortune 1000 companies has experienced a publicly disclosed data breach.
This is nearly double the rate observed in non-F1000 companies, for which one in every 40 disclosed a breach. A likely factor for this may be that F1000 organizations possess the types of data that make them more likely to have a legal obligation to disclose a breach.
A greater percentage of Fortune 1000 companies exhibit a security rating below 640, compared to their non-F1000 counterparts.
BitSight generates ratings on organizations using evidence of security incidents from networks around the world -- it sees indicators of compromise, infected machines, improper configuration, poor security hygiene and potentially harmful user behaviors. In this report, 69 percent of F1000 companies are above BitSight’s “Basic” category (250-640), while 73 percent of non-F1000 companies performed above this threshold.
Fortune 1000 companies’ security performance has recently declined overall.
While there has been some upward movement among F1000 companies, more of these companies fell to a lower security rating threshold than those that increased to a higher threshold. From October 2016 to January 2017, 59 F1000 companies dropped below a BitSight Security Rating of 700.
More significantly, 10 of these fell below a rating of 500, where the likelihood of breach increases significantly. As a whole, 52 companies moved up, while 103 companies experienced drops.
In March 2016, four out of every 10 of Fortune 1000 companies exhibited system compromises - as of December 2016 this fell to three out of every 10.
A large percentage of F1000 companies exhibit system compromises on their networks. Common examples of system compromises are botnet infections, which an attacker can use to carry out malicious activities such as sending spam messages or performing DDoS attacks against a website or service.
Despite the great risks presented by system compromises, F1000 companies have reduced the number of system compromises from March to December of 2016. Having said this, this percentage is still far greater than non-F1000 companies, where system compromises were seen in just 21 percent of these companies.
AndroidBauts and Necurs gain prominence in Fortune 1000 companies.
AndroidBauts surged in F1000 companies. Nearly one out of every 10 companies has exhibited this type of malware on their network. The influx is a clear sign that mobile devices are increasingly posing risk to companies, as this family of malware is found on Android Devices, and often originates from malicious apps downloaded on the Google Play store.
Similarly, Necurs has also remained prominent and has infected a similar rate of F1000 companies. This botnet has widely been known for its capabilities to send spam, but it also presents other, more serious risks. Necurs has been a large driving force behind Locky Ransomware campaigns, and more recently has been discovered to have powerful DDoS capabilities.
In March, Bedep was seen in one out of every five Fortune 1000 companies; as of December 2016, it was seen in just one out of every 20.
In early 2016, Bedep continued as a prominent infection in F1000 companies and was prevalent in 21% of F1000 organizations as of March 2016. However, by July 2016, Bedep was only observed in less than 5 percent of organizations. This sharp decline is likely due to the takedown of the Angler Exploit Kit in June 2016, when Russian cyber criminals tired to the distribution of this kit were arrested.
A majority of Fortune 1000 companies have at least one remote administration service running on an open port.
Specifically, more than half (55 percent) of F1000 companies are running Telnet without encryption, which can easily allow an attacker to eavesdrop on communications or control a machine remotely. VNC is another remote administration service which poses the risk of unauthorized access of machines. Researchers found that 14 percent of F1000 companies have enabled VNC.
Many organizations also run databases on open ports. 8 percent of F1000 companies have at least one instance of PostgreSQL exposed on the internet, which could lead to attackers assuming control of databases and compromising records.