Fortune 1000 organizations are acknowledged for generating significant amounts of revenue. Yet beyond bringing in a considerable amount of money, these companies are also integral to the supply chains of many organizations around the world. Recognizing this, BitSight researchers set out to understand the security strengths and weaknesses found in Fortune 1000 companies. Companies that share data and network access with these organizations should be cognizant of common cyber risks found within these organizations, and use this insight to better inform their third party risk management programs.
Rating the Security Performance of Fortune 1000 Companies
How do Fortune 1000 companies perform in comparison to similar organizations? To answer this question, BitSight studied Fortune 1000 companies alongside “Non-F100 companies” (a random sample of 2,500 companies with a similar industry breakdown, and with at least 2,500 employees).
At the high end of the spectrum, Fortune 1000 companies are performing on par with similar Non-F1000 organizations. Twenty-five percent of companies in both sets have BitSight Security Ratings above 750, placing them in BitSight’s Advanced category (ratings that span from 740-900). However, the median rating for Fortune 1000 is 700 while the median rating for Non-F1000 companies is 730. At the bottom end of the spectrum, 69% of Fortune 1000 companies perform above BitSight’s Basic category (which spans ratings of 250-640). This is lower than Non-F1000 companies, for which 73% of companies fall above this category.
Rate of System Compromises
A primary reason Fortune 1000 companies have a lower median BitSight Security Rating is that a larger percentage of these organizations exhibit system compromises on their network. (To see which system compromises are most prevalent, grab a copy of the report here!). As of December 2016, 30% of Fortune 1000 companies had system compromises on their networks. System compromises were seen on just 21% of Non-F1000 companies.
Lastly, BitSight observed that 4.9% of Fortune 1000 companies experienced a publicly disclosed breach within the last 15 months. This is nearly double the rate we observed in our other set of 2,500 companies, for which 2.75% of companies disclosed a data breach. A likely factor for this may be that Fortune 1000 organizations possess the types of data that make them more likely to have a legal obligation to disclose a breach. Nonetheless, the difference in the rate of breach depicts the great risks faced by these large companies.
What should actions should Fortune 1000 companies and their business partners take in order to reduce cyber risk? Download the latest BitSight Insights report to find out.