Synack: Federal agencies and banks have made the most cybersecurity improvements
The overall Attacker Resistance Score for the IT sector dropped this year due in part to digital transformation work, according to the 2020 Trust Report.
Banks and federal government agencies are holding up the best against cyberattacks while retail and manufacturing are faltering, according to a new report from Synack.
The 2020 Trust Report from the penetration testing company found that government and financial services scored 15% and 11% higher than all other industries in 2020.
SEE: Identity theft protection policy (TechRepublic Premium)
Government agencies earned the top spot due in part to reducing the time it takes to remediate vulnerabilities by 73%. The overall score for government agencies is 61 in the third annual report, up from 47 in 2019. The overall score for financial service companies was down up two points to 59 this year.
E-commerce companies improved their security stance because organizations prioritized testing for new apps and quickly fixed problems, according to the report. Brick and mortar companies had a more difficult time switching to all-digital operations over the past six months, which is reflected in their lower score.
Here’s what the entire list looks like:
- Federal government: 61
- Financial services: 59
- Healthcare: 56
- Technology: 55
- State, local, and education: 50
- Consulting/business and IT services: 48
- E-commerce: 47
- Retail: 46
- Manufacturing/critical infrastructure: 45
The average overall score was 53, down from 54 in 2019 and 56 in 2018. Companies with higher scores are better prepared to defend against a cyberattack.
The average Attacker Resistance Score is slightly less than last year due to the speed in which many organizations have needed to move to adapt to the COVID-19 pandemic, according to the report. After the rush to work from home in response to the coronavirus pandemics, Synack’s Red Team spent 70% more time researching assets between March and April compared to the same time period last year.
The average time to find a vulnerability decreased slightly from 22.8 hours in last year’s report to 21 hours. XSS and authorization/permission vulnerabilities were the most common problems identified.
The report is based on Synack’s Attacker Resistance Score, which measures a company’s overall vulnerability to a cyberattack. The score is based on attacker cost (how much effort hackers have to put in to breach security defenses), the severity and number of security risks identified, and remediation efficiency (how quickly a company resolves vulnerabilities).
Digital transformation includes growing pains
The overall score for the IT services and consulting sector dropped this year. The report authors suggest that is due to the fact that organizations are testing more assets and deploying moree technology, which increases the number of vulnerabilities identified in security tests.
The IT sector also had one of the highest scores in the time-to-find a vulnerability metric.
Increased pressure on manufacturing
The overall score for this sector dropped to 45 in 2020 from 70 in 2019. The 36% drop is the biggest one for any sector in the 2020 Trust Report. Manufacturing and critical infrastructure have been under significant pressure due to rapid shifts needed to meet guidelines to reduce the spread of COVID-19. That strain is evident in their weakened security posture.
Some organizations scored as high as 90. Many of those organizations use a continuous approach to testing, according to the report. The report also found that organizations that use a continuous approach to security testing have an 18% higher score than those that use point-in-time testing.
Synack recommends prioritizing the most critical vulnerabilities, establishing a manageable and repeatable remediation process, and building speed into the overall security strategy.
The data from the 2020 Trust Report comes from tests conducted on the Synack Crowdsourced Security Platform from 2019 through July 2020. Synack calculates a unique ARS metric between 0 and 100 for every asset, assessment and organization it tests.