Today, we are excited to release the second report in our Industry Cyber-Exposure Report (ICER) series, which digs into cyber-exposure among organizations in the U.K.’s FTSE 350. This series focuses on five key areas we believe CISOs at mega-corporations actually have a shot at accomplishing, and will have a practical and fairly immediate effect on a given company's internet security posture. Those are:
- Implementing DMARC (Domain-based Message Authentication, Reporting & Conformance) to shore up email security, both internally and externally.
- Enforcing HTTPS (secure HTTP) and HSTS (HTTP Strict Transport Security) in order to protect their brand reputation and their customers' personal information.
- Hitting a happily low count of unique versions for major internet-facing software applications like web servers and email servers.
- Shutting off dangerous and inappropriate services that really have no business being exposed on the internet in the first place.
- Kicking off a vulnerability disclosure program (VDP) that helps you learn about the security issues in your products and infrastructure before you run into real problems with malicious attackers.
The report itself focuses on how well a specific cohort of companies are doing in these areas—this time, it's the FTSE 350, which are widely considered to be the most successful of large companies headquartered in the United Kingdom. We cut the data by industry, so we can stack up how financials are doing compared to the technology sector, where manufacturing and healthcare look pretty much the same, and plenty of other insights into how the companies and brands that permeate our lives are doing in terms of internet risk and threat exposure.
Our research efforts are powered primarily through Project Sonar and our open source project, Recog, and of course, our stellar research team: Bob Rudis, Curt Barnard, Kwan Lin, Tom Sellers, and me, Tod Beardsley.