cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Rapid7 declares ASX 200 security posture as ‘respectable’

The largest companies in Australia have standard of security that is comparable to its global counterparts, according to a new report that has declared ASX 200 company security standards as “respectable”.

user icon Daniel Croft
Tue, 06 Dec 2022
Rapid7 declares ASX 200 security posture as ‘respectable’
expand image

Analysing the security posture of the ASX 200, cyber security company Rapid7 published the ASX 200 Attack Surface Report. The result is that the security standards of ASX 200 companies are “on par with global counterparts in the FTSE 350 and the Fortune 500”, says the report’s author and Rapid7 principal researcher Erick Galinkin.

“Whilst there’s still definite room for improvement, the overall security posture of ASX 200 companies have measurably improved since our Industry Cyber-Exposure Report on the ASX 200 in 2021.”

The new report, which is based on data from October 2022, follows up on Rapid7’s 2021 report, showing that significant improvement has been made over the last year.


Four factors were surveyed to outline the sophistication of ASX 200 companies when it came to cyber security:

  • Internet-facing attack surface – vulnerability based on port counts and high-risk port counts.
  • Web server type and version complexity – a greater number of software types and differing versions across servers provide an indication that a business may not be on top of complexity and patching.
  • Microsoft Exchange patching – due to popularity, provides an indication of overall vulnerability management.
  • Email and domain safety – email-based attacks such as phishing can be mitigated using domain-based message authentication, reporting and conformance (DMARC) and domain name service security extensions (DNSSEC).

Ports are an area of concern, where open ports can provide bad actors an access point to sensitive data through malware, security vulnerabilities and social engineering. Rapid7 records in two ways — exposed ports which just counts the total number of exposed ports, and high-risk exposed ports.

“We define high risk as the ports commonly associated with FTP, SSH, Telnet, SMB, and RDP. The RDP and SSH are high risk, with automated attacks targeting these ports a common tactic by bad actors,” adds Galinkin.

“Although financial services, healthcare, and information technology have a substantial number of ports exposed overall, their relative exposure of risky ports is actually very low. By contrast, industrials leap out with an average of 33 exposed high-risk ports per company.”

A lack of patching server vulnerabilities is also a major concern, leaving businesses exposed to hackers to take advantage of older, impacted servers.

“We examined the deployment of supported versions and found that ASX 200 companies favor Apache and Nginx for web servers over IIS, and do so in approximately equal numbers. But in a more worrisome metric, Nginx beats Apache in the number of unsupported versions deployed on the internet,” adds Galinkin.

Email safety has seen considerable growth, with a large number of businesses having implemented an error-free DMARC policy. DNSSEC adoption is still slow, with only nine of the ASX 200 having implemented it, however in 2020, that number was zero.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.