A report by the cybersecurity company Rapid7 examined the overall cyber-exposure and security of the companies listed in the FTSE 250 index.The report reveals that FTSE 250+ organisations, on average, expose 35 servers and devices, with many companies exposing over 1,000 systems/devices.
88% of the FTSE 250+ organisations (231) have weak or nonexistent anti-phishing defences in the plug email configuration of their primary email domains, while 70% of the firms were found to not be implementing Dmarc, despite phishing being the most common cyber attack businesses face.
It was also identified that 19% of FTSE 250+ organisations do not enforce SSL/TLS security on their primary websites, which in turn leaves victims open to a wide array of attacks “by adversaries in a position to modify web content as it is being transmitted”.
At least one organisation in all industry sectors had malware infections with Administrative and Professional organisations displaying monthly signs of regular compromise. The incidents ranged from EternalBlue-based campaigns to denial-of-service (DoS) amplification attacks.
Additionally the report revealed that 114 FTSE 250+ organisations utilise between two and seven cloud service providers, however this could be exploited and used to craft highly targeted attacks.
On a positive note, only in a few organisations were severely vulnerable services such as Telnet and Windows SMB present. The report noted SMB as an extremely dangerous service for a system to be exposed to.
“UK industry really took it on the chin with WannaCry, which was a big deal in the UK specifically. As a result, UK corporates and internet service providers have really gone out of their way to reduce the use of SMB in the past two years,” said the research director at Rapid7, Tod Beardsley.
The report wrote:
“The report reveals that even among very large, mature, and well-resourced organisations, we see evidence of cybersecurity basics being missed or deployed insufficiently.
“This hints at the complexity and breadth required for a comprehensive security program, which is a never-ending challenge in which there is always more that can be done, constrained by limited resources and time, regardless of the size of the organisation.”