<img src="https://certify.alexametrics.com/atrk.gif?account=kla4t1zDGU20kU" style="display:none" height="1" width="1" alt="">
Contact us
Request demo →
Contact us
German website
search
close

Attack surface in numbers: Which market faces the highest risks?

by Cybersprint Blog 12 May 2021

The need for cybersecurity is shared by organisations in all markets. Every business has valuable data to protect and operations to maintain. Yet, no organisation is completely risk-free - that is impossible to achieve anyway. Luckily, they don’t have to be. Not all risks have the same potential impact. Some are accepted and need no further action, while others need to be prioritised. It’s these high-risk assets that need attention.

Additionally, the type of risk organisations face most can differ greatly depending on the market they are in. Brand abuse and product imitation is of bigger concern to retail and ecommerce than it is to a governmental organisation, for example.

With both differences and similarities in terms of cybersecurity challenges, we wondered:

What is the difference between organisations in various markets and the cybersecurity challenges they face?

Do organisations in a specific field
face more impactful risk than others do?

And is the most recurring type of risk different for the markets?

Market research

We compared data on organisations from six different markets to find out how digital risk varies between them. Using our Attack Surface Management platform, we mapped the attack surface of multiple small, medium, and large organisations over six different markets throughout the US and Europe. The graph below shows the percentage of high risks identified in the attack surfaces of organisations per market vertical.

infographic restuls blog graph

It’s important to note we determined the level of risk with the automated assessments of our Attack Surface Management platform. It assigns risk scores to individual assets based on likelihood of abuse, technical details, potential impact, links to other systems, and more. Risk scores range from A (all is well, no action needed) to F (high risk, immediate action required).

For this research, the high-risk assets are those with a risk score of E and F. These are assets showing issues such as known vulnerabilities, serious software misconfigurations, expired certificates, etc.

Financials as front-runners

Over all markets, at least 10 percent of all attack surfaces contain critical risks. For manufacturing and pharmaceutical organisations, high-risk assets were found in over a quarter of their total attack surfaces. That is almost three times as many critical risks compared to financials.

One explanation is that financials are often front-runners when it comes to cybersecurity. They are preferred targets for threat actors because of the high financial gain, which also means their IT teams must use innovative solutions to stay ahead of the threat. Furthermore, security regulations imposed on financials often find their way to other markets a few years later, making financials the front-runners.

Yet, even though financials score better than the other markets, they often also have a large the attack surface. In the end, whether you’re in the financial or pharmaceutical market, there could still be a great many high-risk assets residing in that 10 to 29 percent. That presents threat actors with more potential entry points and attack methods at their disposal.

What type of risk is most common?

As we investigated the percentage of high-impact risk for each market, certain risk types were more apparent for certain markets. We listed the most common type per market vertical below.

Market

Most common risk type

Financial

Compliance errors

Chemical

Vulnerabilities

Governmental

Vulnerabilities

Retail

Domain security

Manufacturing

Domain security

Pharmaceutical

Vulnerabilities

 

The study shows financial institutions are most frequently faced with compliance errors. These are issues such as misconfigurations in cookie and privacy settings, or unsecured login forms. Risks include GDPR violations (resulting in hefty fines) and data leaks.

Vulnerabilities are the most common risks for the chemical, governmental and pharmaceutical markets. This means software contains vulnerable software that isn’t patched after a CVE has been published, or software is generally not up to date. This could result in hacks, ransomware attacks, supply chain attacks, and more.

Finally, we see domain security as the most frequent security risk for the retail and manufacturing markets. Examples are expired domain certificates, insufficiently protected DNS records, or misconfigured SSL certificates. Abuse of such aspects can lead to DNS hijacks, subdomain takeovers, or decreasing customer trust and website visits.

Keeping an eye on risk

Though having effective cybersecurity processes will limit your risk exposure, you cannot completely avoid or protect from all sorts of digital risks. However, having the right tools will help identify, solve, and monitor the most pressing risks within your attack surface.

An automated solution which maps the attack surface for you does not only save time and resources, it also provides an outside-in perspective on the market-specific risks your organisation faces. It generates more holistic insights into the business risks, helping you to identify and prioritise the issues in your most important environments.

Are you interested to see how such a solution has helped an international organisation to map and reduce the risks in their attack surface? Click below to read an interview with one of our clients, PostNL. 

Read the Use Case by postnl

What does effective attack surface management look like?

In recent blog posts we’ve discussed the need to understand how your attack surface affects your risk and highlighted three areas that regularly slip under the radar when trying to analyse the true extent of that attack surface. The answer to both these challenges is attack surface management, and in this blog we’re going to focus on what that looks like.

read more

3 Constantly Evolving Areas of Risk Your Organisation Could Be Overlooking

As we mentioned in our previous blog, your attack surface is a constantly evolving source of risks. This is compounded by the fact that most financial services companies can only see a portion of their attack surface – we believe they’re missing 30 to 50 percent.

read more

Understanding your organisation’s attack surface and why it poses a risk

Your attack surface is the sum of the exposed and internet-facing assets, and the associated risks a hacker can exploit to carry out a cyber-attack. Over the past decade or so, that attack surface has changed dramatically. Long gone are the days when the only things exposed to the outside world were your website and your mail server. Today, increased complexity means that many financial services organisations often have huge attack surfaces – in fact, we believe that the attack surface has grown by around 1000% in the past 10 years.

read more

Do you have a question?

Our experts have the answers

Contact us