Over 60% of the Fortune 1000 had at least one public breach over the last decade. Things have improved in recent times, but not by much. Researchers now estimate that 40% of the firms on the list will suffer a cyber loss this year and every year after.
Every year, Fortune Magazine publishes a list of the largest 1,000 US companies as measured by annual revenue. Subsets of this list include the Fortune 500 (the top 500 firms) and the Fortune 100 (the top 100 firms). Since companies slide up and down the rankings each year and enter and exit regularly, Cyentia researchers used the Fortune 1000 as published in 2019 to have a static set of organizations for its analysis.
The study leverages a vast dataset spanning 56,000 cyber events at 35,000 organizations over the last decade. That dataset comes courtesy of Advisen’s Cyber Loss Data, which contains nearly 100,000 cyber events collected from publicly verifiable sources.
It’s no surprise that cybercriminals fancy hacking the top players in a given industry, to maximize their chances of a fat paycheck. Some organizations suffer multiple incidents in a single year, depending on where they are in Forbes’ list. In 2005, for instance, 5% of firms in the Fortune 1000 had more than one breach. That peaked a decade later, with 20% registering multiple breaches in 2015.
The multi-breach rate has since stabilized and even declined, analysts found. However, some patterns have emerged for certain positions. For example, there’s about a 20% chance that one of the top 250 organizations will report four or more cyber loss events. By comparison, the likelihood of the bottom tier suffering that many breaches drops to just under 2%, researchers said. These include small to medium-sized businesses, like service providers.
“The largest organizations are not only more likely to have a breach; they’re also much more likely to have larger numbers of breaches,” Cyentia researchers reasoned. “Breach frequencies for firms in the lowest tier of the Fortune 1000 drop quickly at first but then level off. They have about the same chance of having six incidents as having 10.”
The likelihood of breaches also varies by industry. Government agencies, administrative and information services, as well as financial and management firms, have the highest breach rates, researchers said. Construction, agriculture, and mining are near the bottom.
Financial losses following a cyber event typically total about $200,000 each, but 10% of breaches exceed $20 million. Extreme events cost the mega corporations in the Fortune 250 some $100 million per event. The information services and retail sectors suffer abnormally high losses, exceeding many other sectors by a factor of 10, according to the report.
In another key finding, researchers said there is a 6% chance that a Fortune 1000 firm will lose $100 million or more in a 12-month period due to cyber events.