Skip to main content
Security Scorecard

New Report Reveals Nation’s Largest Public Companies Suffer from Systemic Cybersecurity Challenges

Posted on January 4th, 2018

NEW YORK – January 4, 2018 SecurityScorecard, the leader in security ratings, today released a landmark new report entitled ‘SecurityScorecard Big 500 Index: A Cybersecurity Analysis of 500 Major Publicly-Traded U.S. Companies’ that examines the cybersecurity posture of some of the largest publicly traded U.S. companies. The report analyzes the performance of 500 companies as a cohort against the performance of 18 U.S. industries. Companies included in this report are, have been, or have similar characteristics to companies included in the S&P 500 index.

“While the stock market has reached all-time highs, a major cybersecurity incident can wipeout billions of dollars in value overnight,” said Fouad Khalil, Head of Compliance at SecurityScorecard. “The vast majority of companies in the Big 500 group have similar issues that resulted in major breaches in the past. In particular, patching cadence, which is precisely the issue that led to the Equifax breach, is still a serious concern. While most companies think they have this covered, the report proves otherwise. From a cybersecurity and compliance perspective, such basic hygiene issues need to be prioritized and addressed as a part of a good corporate governance strategy.”

Key Insights:

  • The Big 500 group ranked 12th when compared to 18 other U.S. industries in overall cybersecurity performance
  • Seventy percent of top performers exhibited a lack of due diligence regarding patching cadence
  • There were more than 100 million issues related to patching cadence found in the 500 group in a span of just five months in 2017
  • Within the Big 500 group, pharmaceutical companies, financial services companies, and construction companies were the worst patching practice offenders
  • The three most common patching issues found within the Big 500 group were:
    • Medium risk Common Vulnerability Exposures (CVE)s detected within attributed corporate IP space
    • Services that had reached End of Life dates detected within attributed corporate IP space
    • Products that had reached End of Service dates detected within attributed corporate IP space
    • The Big 500 group scored the lowest in social engineering and second from last for password exposure

Slow patching cadence is a key indicator of risk and demonstrates a lack of resources to implement an available fix to deal with the overhead of additional efforts that may emerge as a byproduct of the fix. It also indicates a lack of awareness regarding the existence of the vulnerability and patches. It is generally recognized that 80 percent of attacks exploit vulnerabilities for which patches already exist.

A complimentary copy of the report can be downloaded by clicking here. To receive a free SecurityScorecard assessment and consultation for your business, visit

About SecurityScorecard
Headquartered in the heart of New York City, SecurityScorecard’s vision is to create a new language to measure and communicate security risk. The company was founded in late 2013 by Dr. Aleksandr Yampolskiy and Sam Kassoumeh, two former cybersecurity practitioners who had served, respectively, as Chief Information Security Officer and Head of Security & Compliance. With cloud solutions becoming an increasingly integral part of the security technology stack, Yampolskiy and Kassoumeh recognized the need to address third- and fourth-party risk as well as better understand the security capabilities of their business partners. Since its founding, the company has grown dramatically and now counts hundreds of leading brands as customers. For more information, visit

Join us in making the world a safer place.