<img src="https://certify.alexametrics.com/atrk.gif?account=kla4t1zDGU20kU" style="display:none" height="1" width="1" alt="">
Contact us
Request demo →
Contact us
German website

Attack surface in numbers: Which market faces the highest risks?

by Cybersprint Blog 12 May 2021

The need for cybersecurity is shared by organisations in all markets. Every business has valuable data to protect and operations to maintain. Yet, no organisation is completely risk-free - that is impossible to achieve anyway. Luckily, they don’t have to be. Not all risks have the same potential impact. Some are accepted and need no further action, while others need to be prioritised. It’s these high-risk assets that need attention.

Additionally, the type of risk organisations face most can differ greatly depending on the market they are in. Brand abuse and product imitation is of bigger concern to retail and ecommerce than it is to a governmental organisation, for example.

With both differences and similarities in terms of cybersecurity challenges, we wondered:

What is the difference between organisations in various markets and the cybersecurity challenges they face?

Do organisations in a specific field
face more impactful risk than others do?

And is the most recurring type of risk different for the markets?

Market research

We compared data on organisations from six different markets to find out how digital risk varies between them. Using our Attack Surface Management platform, we mapped the attack surface of multiple small, medium, and large organisations over six different markets throughout the US and Europe. The graph below shows the percentage of high risks identified in the attack surfaces of organisations per market vertical.

infographic restuls blog graph

It’s important to note we determined the level of risk with the automated assessments of our Attack Surface Management platform. It assigns risk scores to individual assets based on likelihood of abuse, technical details, potential impact, links to other systems, and more. Risk scores range from A (all is well, no action needed) to F (high risk, immediate action required).

For this research, the high-risk assets are those with a risk score of E and F. These are assets showing issues such as known vulnerabilities, serious software misconfigurations, expired certificates, etc.

Financials as front-runners

Over all markets, at least 10 percent of all attack surfaces contain critical risks. For manufacturing and pharmaceutical organisations, high-risk assets were found in over a quarter of their total attack surfaces. That is almost three times as many critical risks compared to financials.

One explanation is that financials are often front-runners when it comes to cybersecurity. They are preferred targets for threat actors because of the high financial gain, which also means their IT teams must use innovative solutions to stay ahead of the threat. Furthermore, security regulations imposed on financials often find their way to other markets a few years later, making financials the front-runners.

Yet, even though financials score better than the other markets, they often also have a large the attack surface. In the end, whether you’re in the financial or pharmaceutical market, there could still be a great many high-risk assets residing in that 10 to 29 percent. That presents threat actors with more potential entry points and attack methods at their disposal.

What type of risk is most common?

As we investigated the percentage of high-impact risk for each market, certain risk types were more apparent for certain markets. We listed the most common type per market vertical below.


Most common risk type


Compliance errors






Domain security


Domain security




The study shows financial institutions are most frequently faced with compliance errors. These are issues such as misconfigurations in cookie and privacy settings, or unsecured login forms. Risks include GDPR violations (resulting in hefty fines) and data leaks.

Vulnerabilities are the most common risks for the chemical, governmental and pharmaceutical markets. This means software contains vulnerable software that isn’t patched after a CVE has been published, or software is generally not up to date. This could result in hacks, ransomware attacks, supply chain attacks, and more.

Finally, we see domain security as the most frequent security risk for the retail and manufacturing markets. Examples are expired domain certificates, insufficiently protected DNS records, or misconfigured SSL certificates. Abuse of such aspects can lead to DNS hijacks, subdomain takeovers, or decreasing customer trust and website visits.

Keeping an eye on risk

Though having effective cybersecurity processes will limit your risk exposure, you cannot completely avoid or protect from all sorts of digital risks. However, having the right tools will help identify, solve, and monitor the most pressing risks within your attack surface.

An automated solution which maps the attack surface for you does not only save time and resources, it also provides an outside-in perspective on the market-specific risks your organisation faces. It generates more holistic insights into the business risks, helping you to identify and prioritise the issues in your most important environments.

Are you interested to see how such a solution has helped an international organisation to map and reduce the risks in their attack surface? Click below to read an interview with one of our clients, PostNL. 

Read the Use Case by postnl

Securing critical infrastructure: new regulations mandate control

The name itself says it already: organisations in the critical infrastructure are vital in the services they provide in society. Should something go wrong in their daily operations, it can have severe consequences and disrupt individual people and other companies. That doesn’t necessarily mean they are more often targeted in (cyber-)attacks, but it does pose an extra reason to prevent any successful attack. Such organisations have often been in charge of their own cybersecurity, guided by regulations. Now though, authorities in the EU are starting to intensify their watchful eyes with the RCE directive. What is the EU RCE? And how should critical infrastructure organisations prepare?

read more

Mandatory IT audits: risk scores don’t mean security

More organisations in the Netherlands recognise the need for an active approach to stay in control over their attack surfaces in order to mitigate risks. Every organisation is able to create their own IT security governance and processes. Now, though, a new standard might be introduced in the form of an annual, mandatory IT audit. Is this a development helping businesses further? Or one that doesn’t really add anything other than paperwork?

read more

Determining your cybersecurity maturity

How safe your organisation is from a cybersecurity point of view depends on a lot of factors. Not only should your private and confidential data be kept private and confidential through a plethora of technical defenses, there are also, among others, many processes such as for IT governance and incident response to consider. How your organisation deals with all these challenges determines its cybersecurity maturity. But why is determining this maturity level important?

read more

Do you have a question?

Our experts have the answers

Contact us