What’s the security posture of the Fortune 1000?

BitSight analyzed the security posture of some of the world’s largest organizations, and identified the most common system compromises. For comparison, Fortune 1000 companies were studied alongside a random sample of 2,500 companies with a similar industry breakdown and with at least 2,500 employees.

The percentage of Fortune 1000 companies with at least one system compromise per month from March 1st 2016 through December 31st 2016

“Understanding the security maturity of Fortune 1000 companies provides greater context for any organization looking to benchmark their own performance,” said Stephen Boyer, CTO of BitSight. “Moreover, this data can be used to better inform companies of the risks posed when sharing data or network access with Fortune 1000 organizations. For example, a primary reason Fortune 1000 companies have a lower median Security Rating is due to higher frequency of system compromise on their networks. Awareness of the incident detection and response practices of third-parties should factor into the process of screening new vendors.”

The percentage of prevalent system compromises found on the networks of Fortune 1000 companies from March 1st 2016 through December 31st 2016

Key findings

• In the last 15 months, BitSight researchers found that at least one out of every 20 Fortune 1000 companies has experienced a publicly disclosed breach.
• A majority of Fortune 1000 companies have at least one remote administration service running on an open port; a sign that many companies may be inadvertently allowing unauthorized access to machines.
• In March, Bedep, a botnet resulting in actual machine compromise, was seen in one out of every five Fortune 1000 companies; as of December 2016 it was seen in just one out of every 20.
• Fortune 1000 companies’ security performance has recently declined overall: 52 companies improved, while 103 companies experienced rating drops from October 2016 to January 2017.

Open services and exposures

How do Fortune 1000 organizations fare in securing the services they run on their network? A majority of companies are running at least one remote administration service over an open port with a known vulnerability.

Specifically, more than half (55%) of Fortune 1000 companies are running Telnet without encryption, which can easily allow an attacker to eavesdrop on communications or control a machine remotely. VNC is another remote administration service which poses the risk of unauthorized access of machines. BitSight researchers found that 14% of Fortune 1000 companies have enabled VNC on an open port.