Top companies are losing control of their digital attack surface
- Published: Tuesday, 17 October 2017 13:09
Unpatched web infrastructure and de-centralised web management practices are leaving UK organizations vulnerable to cyber attacks and high profile data breaches, according to new RiskIQ research which reveals a loss of control amongst the FT30, expanding their digital attack surface and opening doors to cyber criminals.
The research exposes five key areas leaving businesses exposed to cyber attack as a result of increasing digital transformation, these are: servers and frameworks; certificates; test sites; data collection; and web management. Cyber criminals are constantly researching organizations’ digital footprints and exploiting known vulnerabilities. Worryingly, RiskIQ discovered 5,127 at-risk servers and 2,045 at-risk frameworks among the UK’s top 30 firms. This is an average of 171 at-risk servers and 68 at-risk frameworks currently existing per organization.
When assessing the public websites of the FT30, a total of 99,467 live websites were discovered; an average of 3,315 websites per business. Such expansive digital presence is the result of digital transformation efforts which can often result in the loss of security control, leading to opportunities for cyber adversaries to exploit weaknesses and access critical business and customer information.
Whilst businesses continue to be exposed to risk outside of the firewall, there is simultaneously an impact on consumer trust and long-term business success. For example, expired or untrusted certificates result in warning messages that dent consumer confidence and can lead to disengagement. The research uncovered an average of 35 expired certificates and 250 untrusted certificates per organization.
Risk is also present when it comes to data collection within the FT30. If done insecurely, this can lead to loss or fraudulent use of customer data, whilst impacting a business’s reputation and revenue. A total of 13,194 instances of data collection through login or input forms was discovered, of which over a quarter (29 percent) had no encryption, and 5 percent were using old encryption algorithms or expired certificates.
Fabien Libeau, VP RiskIQ, EMEA says, “Gaining visibility over an ever expanding web presence isn’t a simple task. We have recently seen the consequence of Equifax losing control of its infrastructure and web assets before falling victim to cyber crime and impacting millions of customers. It is crucial that other organisations don’t follow suit by ensuring their digital attack surface is constantly monitored, kept under control and secure from cyber adversaries on the prowl.”
The full UK FT30 report and findings can be found here.