Posted on Nov 17, 2016
As a security company, we’re committed to empowering security professionals with the knowledge, and technology necessary to maintain their organization’s security and ensure that they can keep up with the always-evolving threat landscape. We’re happy to announce new predictive research that organizations can use to better secure their networks and react to any changes in their environment or that of their third parties.
Our data science department analyzed the security ratings of over 100,000 companies across 18 industries within a one-year time span and correlated breach likelihood based on 1000+ breach events with a 95% degree of confidence. We found high correlations for overall security ratings and four security factors: Social Engineering, Information Leak, Hacker Chatter, and IP Reputation.
Update 12/9: Some companies highlight predictive evaluations based on extremes, comparing the poorest possible ratings to the highest possible ratings. To illustrate a platform’s true predictive capability, a larger sample size that is more inclusive of the total population must be used.
If we were to apply a similar comparison to the research done using only the extreme outliers, we find that companies with a D or F have a 13.8x increase of breach likelihood compared to companies with the highest A score. Our analysis reinforces SecurityScorecard as the most accurate and predictive security rating service at a confidence interval of 95%
As the above graph shows, when it comes to overall security ratings, we found that companies with an average score of C or lower were 5.4x more likely to be breached compared to companies with an A or B.
The Social Engineering factor assesses a company’s susceptibility to phishing attacks by measuring the connection between corporate emails and suspicious websites, and the level of employee satisfaction which is known to be a factor in social engineering attacks. Organizations should be aware of any employee dissatisfaction and also discourage employees from using corporate emails for any personal services.
The Information Leak factor detects and finds publicly available sensitive information that may be lurking across the internet. Organizations should ensure that in the case of a previous data breach that may have exposed corporate emails and passwords, all employees should change their passwords and ensure they aren’t duplicating passwords. For more information on how large data breaches can affect organizations, check out our articles on the LinkedIn and Dropbox data breaches.
The Hacker Chatter factor has the highest breach correlation out of all of our security factors. We discovered low-scoring companies with a C,D or F have a 10.4 times higher likelihood of being breached compared to high-scoring companies with an A or B. The Hacker Chatter factor looks at underground hacker forums on the dark web for mentions of organizations as hackers usually discuss organizations when it pertains to a data breach, a discovered vulnerability, or as part of pre-hack planning.
The IP Reputation factor measures how much malware has been emanating from an organization’s network and for how long. Because malware prevention is an essential and basic aspect of any organization’s security responsibility, the presence of malware is indicative of an organization’s security posture as a whole. If malware is discovered in an organization’s network, there may be other severe vulnerabilities that a hacker can exploit.
For your organization and most critical third-parties, you should keep a close eye on these four factors and the overall security rating. If the rating drops to a C or lower, take immediate action to resolve any new vulnerabilities to reduce the likelihood of a breach incident from happening to you or your third-parties. The alert feature can give you daily updates on score fluctuations, ensuring that you’re notified if one of these factors drop to a C or lower for any company that your organization does business with.
Get your free security rating and discover how your organization performs across all 4 security factors today.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.