Today, Rapid7 released our third Industry Cyber-Exposure Report (ICER) examining the overall exposure of the companies listed in the FTSE 250 index. The FTSE 250 is a capitalisation-weighted index of organisations listed on the London Stock Exchange maintained by the FTSE Group. The index is based on the 101st to the 350th largest companies, which account for nearly 12% of the UK GDP (as of April 2019), with aggregate employment reaching over 10 million individuals globally. Furthermore, over 50% of these organisations are incorporated in the UK, enabling the creation of a UK-centric view of exposure.
The report reveals that even among very large, mature, and well-resourced organisations, we see evidence of cybersecurity basics being missed or deployed insufficiently. This hints at the complexity and breadth required for a comprehensive security program, which is a never-ending challenge in which there is always more that can be done, constrained by limited resources and time, regardless of the size of the organisation. If this challenge cannot be comprehensively met by these very large, high-revenue organisations, just imagine how much worse it is for smaller organisations with far fewer resources to apply to security.
Sure, you might think smaller organisations are less likely to be targeted by attackers, but that’s probably not significantly the case. For one thing, everyone is a target for so-called untargeted “drive-by” attacks or internet-wide malware infections, such as NotPetya, now officially deemed the most costly cyberattack of all time.
In addition, many small- to medium-size businesses represent a very tasty target for attackers due to their intellectual property (for example, startups with cool new technology or techniques), relationship with their customers (for example, the HVAC vendor that had access to Target’s corporate network), or involvement in processing sensitive or financial data (for example, the many law firms that handle complex mergers and acquisitions between much larger companies).