Industry Cyber-Exposure Report: FTSE 250+

Following in the footsteps of the Fortune 500 and ASX 200 Industry Cyber-Exposure Reports, Rapid7 researchers have released their latest look into corporate exposure, this time focusing on the UK’s FTSE 250. The report reveals that even large, mature, and well-resourced organisations are falling short of meeting cybersecurity basics, leaving them susceptible to risk. We also share key takeaways for organisations looking to improve their approach to cybersecurity in the highlighted weak areas.

To learn more, read the Industry Cyber-Exposure Report: FTSE 250+. And, join our webcast to hear from our researchers what this exposure means and what organisations can do to improve how they approach security. 

Join the Webcast

Register for our on-demand webcast to hear directly from our researchers what this exposure means.

Register now

Executive Summary

To measure the cyber-resiliency of FTSE organisations, we measured:

  • Overall attack surface (the number of exposed servers/devices);
  • Presence of dangerous or insecure services;
  • Phishing defence posture;
  • Weak public service and metadata configurations; and
  • Joint third-party website dependency risks.

It’s vital to have an accurate view of how resilient organisations and industries are against cyber-attacks. Having this information can facilitate more accurate cost models, help target efforts to reduce exposure to the industries that need it most, and enhance cooperative efforts between government and the private sector to better protect both users and companies. Measurement of industry-level exposure can also inform working groups that share cybersecurity information and threat intelligence within their industry.

As with all of our Industry Cyber-Exposure Reports, it is important to consider that if these top-tier organisations are struggling to implement the appropriate cyber-safeguards, exposure may be even worse among smaller organizations with fewer resources to direct toward security.

To learn more about the key findings and analysis, read the Industry Cyber-Exposure Report: FTSE 250+ in its entirety.

On average, FTSE 250+ organisations expose a public attack surface of 35 servers/devices, with many companies exposing over 1,000 systems/devices.
Of the appraised FTSE 250+ organisations, 88% have weak or nonexistent anti-phishing defences (i.e., DMARC) in the public email configuration of their primary email domains. This is the weakest anti-phishing showing of all the Rapid7 Industry Cyber-Exposure Reports to date.
Many organisations across industry sectors in the FTSE 250+ signal how many and which cloud service providers they use in their public domain name system metadata, with 114 organisations using between two and seven cloud service providers.