Skip to content ↓ | Skip to navigation ↓

Analysis of the Security Ratings for S&P 500 companies in four major industry verticals reveals that the retail, healthcare and pharmaceuticals sectors seriously lag behind the financial and utilities sectors is their security postures.

The study found that the healthcare and pharmaceutical industry is quite similar to the retail sector in that they both have a high number of security-related incidents and both demonstrate slower response times to events, and both sectors compare poorly to the finance and utilities sectors in overall security performance.

“Many retailers do indeed have strong security practices, and the recent announcement from the Retail Industry Leaders Association (RILA) about the creation of a Retail Cyber Intelligence Sharing Center is certainly a step in the right direction. However, cyber security still needs greater resources and executive level attention across the industry,” said Chris Poulin, IANS Faculty Member.

Key findings by industry sector include:


  • Security performance of the retail industry generally declined in over the last year
  • The number of security events observed by increased nearly 200% from April 2013 to March 2014
  • Zeus and Zero Access accounted for one third of all malware detected in the retail industry

Healthcare and Pharmaceuticals:

  • The spread in performance rating across the industry is significant, many companies that are seriously underperforming compared to some industry peers
  • The sector was subject to the largest percentage increase in the number of security incidents
  • The average event duration of a security event is longer than any other industry


  • The average rating was highest of all of the industries analyzed despite an increase in the number of incidents
  • Zeus malware accounted for 33% of the malware detected
  • The finance industry had the shortest average security event duration


  • The range of ratings within the utilities sector is relatively narrow, the majority of companies are high performers
  • Redyms accounted for 26 percent of malware detected
  • Success is likely the result of both executive-level focus on cyber risk as well as industry regulation

“These strong Security Ratings of the electric utilities in the S&P 500 are no surprise, in my experience, large IOUs (Investor Owned Utilities) have fairly sophisticated IT security practices. Like large financial institutions, they have significant security budgets and cyber risk has executive level visibility. Although NERC CIP only applies to portions of these IOUs, it has lead to a significant shift in attitudes towards cyber security in large utilities,” said Dave Dalva, VP of Security Science at Stroz Friedberg.

Full Report Here (form required)…