Digital transformation and the loss of security control
Unpatched web infrastructure and de-centralised web management practices are leaving UK organisations vulnerable to cyber-attacks and high profile data breaches. New RiskIQ research reveals a loss of control amongst the FT30, expanding their digital attack surface and opening doors to cyber criminals.
Summary of risk findings across 99,467 live websites
What’s leaving businesses exposed to cyber attack?
New insight exposes five key areas leaving businesses exposed to cyber attack as a result of increasing digital transformation, including: servers and frameworks, certificates, test site, data collection, and web management.
Cyber criminals are constantly researching organisations’ digital footprints and exploiting known vulnerabilities. Worryingly, RiskIQ discovered 5,127 at risk servers and 2,045 at risk frameworks among the UK’s top 30 firms. This is an average of 171 at risk servers and 68 at risk frameworks currently existing per organisation.
Assessing the public websites of the FT30
When assessing the public websites of the FT30, a total of 99,467 live websites were discovered; an average of 3,315 websites per business. Such expansive digital presence is the result of digital transformation efforts which can often result in the loss of security control, leading to opportunities for cyber adversaries to exploit weaknesses and access critical business and customer information.
Whilst businesses continue to be exposed to risk outside of the firewall, there is simultaneously an impact on consumer trust and long-term business success. For example, expired or untrusted certificates result in warning messages that dent consumer confidence and can lead to disengagement. The research uncovered an average of 35 expired certificates and 250 untrusted certificates per organization.
Data collection
Risk is also present when it comes to data collection within the FT30. If done insecurely, this can lead to loss or fraudulent use of customer data, whilst impacting a business’s reputation and revenue. A total of 13,194 instances of data collection through login or input forms was discovered, of which over a quarter (29%) had no encryption, and 5% were using old encryption algorithms or expired certificates.
“Gaining visibility over an ever expanding web presence isn’t a simple task. We have recently seen the consequence of Equifax losing control of its infrastructure and web assets before falling victim to cyber-crime and impacting millions of customers. It is crucial that other organisations don’t follow suit by ensuring their digital attack surface is constantly monitored, kept under control and secure from cyber adversaries on the prowl,” said Fabien Libeau, VP RiskIQ, EMEA.