The Bitsight Security Ratings' Correlation to Ransomware

Evidence-Based Strategies to Lower Your Risk of Becoming a Ransomware Victim

Background

No organization can prevent 100 percent of cyberattacks. The ENISA Threat Landscape report showed that more than 66 percent of healthcare organizations experienced an attack in 2019, and the first case of triple extortion—in instance when an attacker makes ransom demands of the initial target and the victim’s clients—was seen in October 2020. But, companies can follow best practices to minimize the likelihood of an attack. For example, companies need a relentless focus on core security hygiene, or the practice of ensuring cybersecurity controls practice, and people to perform effectively every day. Based on analyzing ransomware attacks, Bitsight uncovered a clear correlation to security hygiene—measured with Bitsight Security Ratings—to the likelihood of falling victim to ransomware.

Study Overview

The Bitsight research team analyzed hundreds of ransomware events over five six-month periods to estimate the relative probability that a company will experience a ransomware event. Bitsight data scientists benchmarked companies with an advanced Bitsight Security Rating of 750 or higher for security effectiveness. Overall, companies with a rating lower than 600 are 6.4 times more likely to be a ransomware victim compared to those with a 750+ rating, and companies with a rating between 600-650 are 4.6 times more likely.

Where a Security Rating provides a high-level view of a company’s security posture, drilling down into graded risk vectors shows specific gaps to remediate. In this study, three risk vector ratings of a C grade or lower correlated to clear ransomware risk indicators:

	Patching Cadence: Companies with a C grade in Patching Cadence are nearly seven times more likely to experience a ransomware incident.
	TLS/SSL Certificates: Companies with a C grade in TLS/SSL Certificates are nearly three times more likely to experience a ransomware incident.
	TLS/SSL Configurations: Companies with a C grade in TLS/SSL Configurations are nearly four times more likely to experience a ransomware incident.

Business Impact

Overall, organizations across all industry sectors can use this information to drive risk-aware business decisions. Security Ratings and risk vector ratings indicate a company’s risk of experiencing a ransomware attack, and businesses can take action with Bitsight Ratings by:

• Improving the cadence to patch vulnerabilities. Organizations that patch old vulnerabilities within a week are the highest-performing companies and have strong governance, operations, management, asset inventory, and other fundamental IT management and security practices.
• Identifying gaps in security hygiene. Vulnerabilities indicate poor security performance for an organization. Pay attention to TLS/SSL configuration and certification and do not allow obsolete protocols.
• Remediating vulnerabilities in widely-deployed technology. Ransomware used to be delivered mainly through phishing attacks. Modern, large-payment demands often abuse recent vulnerabilities in widely-deployed technology that yields easy access to the target’s infrastructure.