Internet Risk Surface Report

Digital Transformation has fundamentally changed organizational dependence upon the internet and interconnected 3rd/4th parties. This report maps and measures the resulting “internet risk surface”—anywhere a firm’s assets, data, or regulatory obligations are observable from the web. By analyzing a dataset spanning thousands of firms, we reveal that an organization’s true attack surface is much larger and more complex than most suspect.

A primary takeaway is the extreme degree of trust placed in external providers. 84% of firms host critical or sensitive assets with 3rd parties, and 61% of all high-value assets now reside on external infrastructure. This report rewards the reader by quantifying the resulting “transferred risk”: organizations are three times as likely to have high-value assets with severe findings off-prem as they are on-prem.

Variation remains the defining trait of the risk surface. While some organizations maintain a “dent” in their risk surface through superior management, others exhibit greater than 50% vulnerable hosts. This study provides the framework for risk professionals to move past firmographics toward a single, holistic view of their hosts, providers, and exposures across the global internet.

Key Findings

• External Host Dominance: 65% of all internet-facing assets sit on infrastructure owned by an external entity, rather than the firm itself.
• 3X Off-Prem Risk: Organizations are three times as likely to harbor severe findings in high-value assets when they are hosted externally vs. on premises.
• High-Value Exposure: 61% of all assets categorized as high-value (collecting sensitive data/authenticating users) are hosted on 3rd party networks.
• Geographic Spread: 57% of organizations have hosts located in multiple countries, and 6% span 10 or more countries.
• 1% Exposure Baseline: Typical organizations exhibit high or critical security findings in only 1% of their internet-facing hosts.
• Sector Outliers: The Public, Education, and Healthcare sectors show the highest average prevalence of severe findings, while Finance remains the lowest.
• SMB Size Penalty: Smaller firms double the rate of security findings seen in larger firms and exhibit much higher performance variation.