The report entitled National Industry Cloud Exposure Report (NICER) uncovers a particularly high level of known vulnerabilities in the financial services and telecommunications industry, with each industry having 10,000 high-rated common vulnerabilities and exposures (CVEs) across their public-facing assets.
The report predicts that despite the vast collective reservoirs of wealth and expertise within these companies, this level of vulnerability exposure is unlikely to get better in a time of global recession.
In addition to the FTSE 250, Rapid7’s report looked at the Fortune 500, Deutsche Börse Prime Standard 320, ASX 200 and Nikkei 225, and revealed that 611 companies within these are hosting a high number of unpatched services with known vulnerabilities. This includes 11,630 vulnerabilities within 107 large technology companies alone.
Moreover, patch and update adoption continues to be slow, especially in remote console access where, for example, 3.6 million secure shell (SSH) servers are sporting versions between five and 14 years old. To make matters worse, unencrypted, cleartext protocols are still heavily used with 42% more plaintext HTTP servers than HTTPS, 3 million databases awaiting insecure queries, and 2.9 million routers, switches, and servers accepting Telnet connections.
In a time of global pandemic and recession, this Rapid7 report offers a data-backed analysis of the changing internet risk landscape, measuring the prevalence and geographic distribution of commonly known exposures in the interconnected technologies that shape our world.
Tod Beardsley, research director at Rapid7 said: “FTSE 250 companies may be the leading organisations in the UK size-wise, but they’re also some of the biggest targets to cyber attackers. One of the findings that surprised me is the prevalence of un-securable SMB servers that exist within these organisations, showing that UK organisations have not yet learned the lessons of WannaCry, which cost the NHS more than £92 million a couple of years ago.
“My advice to IT teams within FTSE 250 organisations is to bake in regular patching windows and decommissioning schedules to their internet-facing infrastructure.