Industry Cyber-Exposure Report: Fortune 500

What does exposure look like for corporate America?

Following the footsteps of Rapid7’s long-running National Exposure Index, Rapid7 researchers turned their attention to exposure in corporate America—more specifically, the Fortune 500. Measuring key exposure metrics, we determine in this report the level of exposure represented by this group of organizations in order to help target cyber-risk reduction efforts, improve information-sharing within industry sectors, and build awareness of practices organizations can undertake to avoid future exposure.

The report reveals that cybersecurity basics are being missed or insufficiently deployed even among very large, mature, and well-resourced organizations. Keeping up with the never-ending task of maintaining a comprehensive security program is a challenge for organizations of all sizes—particularly when there is always more to be done amid constrained time and resources. If this challenge cannot comprehensively be met by these very large, high-revenue companies, it is not difficult to imagine how much worse it is for smaller organizations with far fewer resources to apply to security. 

To learn more about the overall exposure of Fortune 500 companies, read the Industry Cyber-Exposure Report: Fortune 500.

Join the Webcast

Register for our on-demand webinar to hear our researchers explain what this exposure means.

Register Now

Executive Summary

The methodology outlined in this report describes several ways, based on openly available internet connections, to measure the exposure of specific organizations and industry sectors to certain cybersecurity risks. The report covers the following topics:

  • The average attack surface, broken down by industry, presented on the internet by the top companies in America
  • Corporate adoption of Domain-based Message Authentication Reporting & Conformance (DMARC), a set of inexpensive—but critical—anti-phishing controls
  • Malicious activity emanating from these companies, as measured by connections to Rapid7’s Project Heisenberg
  • Internet exposure of inappropriate and insecure services such as Windows SMB and Telnet as surveyed from Rapid7’s Project Sonar

To learn more about the key findings and analysis, read the Industry Cyber-Exposure Report in its entirety, and register for our webcast to hear directly from the researchers.

Fortune 500-member orgs expose an average 500 servers/devices, with many companies exposing 2,500 or more.
Industry Cyber-Exposure Report: Fortune 500
Of the appraised Fortune 500 organizations, 330 have weak or nonexistent anti-phishing defenses (i.e., DMARC) in the public email configuration of their primary email domains.
Industry Cyber-Exposure Report: Fortune 500
Despite inherent weaknesses in Windows file-sharing and legacy Telnet servers, and known daily exploitation attempts against these vulnerable services, the average Fortune 500 organization exposes 5–10 of these services.
Industry Cyber-Exposure Report: Fortune 500