Industry Cyber-Exposure Report


The report has uncovered that even the most mature and well-resourced ASX 200 organisations have trouble sufficiently deploying cybersecurity basics. It found, on average, ASX 200 organisations expose a public attack surface of 29 servers or devices, with many companies exposing 200 or more. The report also revealed that 67 percent of ASX 200 organisations have weak or non-existent anti-phishing email defences.


In the face of growing cybersecurity threats, it is increasingly important to measure the cost and concentration of “exposure,” which we define here as weaknesses in the public-facing configuration of internet-connected services. Having an accurate view of the resilience of organisations and industries against cyber-attacks can facilitate more accurate cost models, help target efforts to reduce exposure to the industries that need it most, and enhance cooperative efforts between government and the private sector to better protect users and companies alike. Measurement of industry-level exposure can also inform industry-specific working groups that share cybersecurity information and threat intelligence, such as Information Sharing and Analysis Centres.

To understand current levels of exposure and resiliency in Australasia,1 Rapid7 Labs measured the internet-facing security profiles of the S&P/ASX 2002 (ASX200) during Q4 2018 for:

  • Overall attack surface (the number of exposed servers/devices);
  • Presence of dangerous or insecure services;
  • Phishing defence posture;
  • Weak public service and metadata configurations; and
  • Joint third-party website dependency risks.
Scroll to Top