Despite being relentlessly targeted by phishing and spam, the banking and healthcare sectors are still the least likely to use email security technologies to protect their customers, according to Agari's Email TrustIndex for 2014.
As reported in the past, Agari's TrustIndex is an attempt to calculate an overall security score for individual firms in 11 sectors by looking at a combination how often each is targeted against the adoption of email anti-spoofing technologies that protect against exploitation.
In principle, firms that are targeted relatively infrequently and adopt the all three of main email protection technologies - SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authetication Reporting and Conformance - will achieve the highest final score.
In practice, however, firms in all sectors are targeted by criminals for periods in any year and so adopting a high level of email security is the most important way of getting a better rating.
For 2014, the US healthcare sector scored rock bottom, with an extraordinary 93 percent given an overall 'TrustScore' below 50, meaning they were considered to be vulnerable. None were rated as merely 'at risk' (i.e average) with a mystery 7 percent achieving excellence in the top 'safe' category.
In other words, healthcare is a sector marked by a mass of firms with low adoption rates and a tiny number with extremely high adoption rates. Given the number of breaches in the healthcare, it's a curious contrast between what Agari would characterise as good and bad practice.
Banking wasn't much better with 75 percent of European banks and 62 percent of large global brand banks rated as 'vulnerable' with scores below 50. In both sectors, all of the rest were merely 'at risk'. In contrast, mega banks achieved the top rating which suggests a surprisingly wide variation in performance for this sector too.
Just above this abysmal performance were traditional retail (i.e. not exclusively online), airlines, and travel, with the best performers in addition to mega-banks being social media and logistics.
Agari names firms within sectors it thinks have done a good job, with Facebook, Apple, Netflix, American Express, Amazon, Visa, UPS and Google all in the top category.
In the second tier were DHL, Gap, Flickr, US Postal, William Hill and UK retailers John Lewis and Tesco, leaving the Royal Bank of Scotland, Sears, US Airways, Walmart, Last.fm, and Dell among others to languish in the lowest TrustIndex category.
"We saw a record number of US data breaches in 2014 and cyber-attacks are a steady drumbeat of increasing breadth and severity, with the FBI now ranking cybercrime as one of its top law enforcement activities," said Agari's founder and CEO, Patrick Peterson.
"For all its ubiquity and convenience, email remains the single most effective and widely used vector of attack. Our State of Email Trust report shows that companies are starting to take email security more seriously, but there's still a long, long way to go."
He praised President Obama's recent executive order that firms share threat data with one another as a "step in the right direction."
In December, Agari looked at email security adoption rates among the UK's best-known firms - none achieved the top 'rock star' rating.