ThingsRecon, a leader in external attack surface discovery and supply chain intelligence, has recently published the findings from its first industry-wide study. The research investigated the state of digital hygiene across enterprises, analysing over 770,000 digital assets encompassing applications, domains, IPs, scripts, and certificates from various organisations.
The results were startling, uncovering more than 800,000 high-severity hygiene issues. With more issues than assets, the study highlights that, on average, every digital asset is burdened by at least serious grave weakness. Such alarming figures raise serious concerns regarding enterprise-level cybersecurity practices.
Key findings of the study outline:
- Every examined application revealed over one issue on average, indicating a 110% issue density.
- Nearly two-thirds of domains demonstrated multiple weaknesses with a 165% issue density.
- One-third of certificates were misconfigured, posing significant risks.
Specific cases within organisations brought further clarity to the gravity of the situation. In one scenario, an organisation operating 2,700 applications had 21 exposing unencrypted login forms, leaving credentials vulnerable to interception. Elsewhere, 1,100 dangling DNS records were discovered amongst 6,000 applications, with almost one in five apps carried an exploitable misconfiguration.
Chief Product Officer and Co-Founder of ThingsRecon, Stephane Konarkowski, remarked that "These results show that cyber hygiene failure are systemic, not isolated". Problems identified, such as unencrypted logins and dangling DNS records, show how attackers can exploit fundamental mistakes rather than relying on sophisticated methods.
Overall, the study focused only on high-severity hygiene issues affecting applications, domains, and certificates. Medium- and low-level concerns, APIs, software, third-party components, public IP infrastructure, and traditional software vulnerabilities were not included. This caveat suggests that the actual scale of weaknesses is far greater than the alarming 800,000 reported.
As Stephane further confirmed, "Our findings highlight that enterprise urgently need continuous, external visibility of their digital surfaces. Even the world's largest organisations are overlooking fundamentals that create real-world risk."
