Navigating the Internet Risk Surface

Choosing a partner is a critical business decision, but how much does that choice actually impact your risk of exposure?. This Internet Risk Surface Report analyzes hundreds of thousands of organizations to distinguish “top performers”—those with superior security hygiene—from those at the “bottom”. By mapping these outcomes to key performance indicators, the research identifies which technical choices actually move the needle on security posture.

The results are staggering: choosing a partner with a poor security posture can mean your organization is 360 times more likely to be exposed to high-risk findings. Demographic factors like industry or size are surprisingly poor indicators of risk, as the best-performing schools in education often have stronger security than the worst-performing banks in finance. This report rewards the click by proving that a “cloud-first” approach is the ultimate risk mitigator, increasing the probability of being a top performer by 85%.

The analysis also reveals that technical mix is more important than technical scale. Top performers effectively manage ubiquitous platforms like OpenSSL and CMS, while bottom performers are consistently plagued by application server patching and web authentication issues. This study serves as a guide for third-party risk professionals to look beyond brochures and into the measurable realities of their vendors’ digital footprints.

Key Findings

• The 360X Exposure Risk: Bottom-performing organizations typically exhibit 360 times more high-value security findings on high-value hosts than their top-tier counterparts.
• Cloud-First Performance Boost: Organizations that adopt a cloud-first strategy with a single provider are 85% more likely to be ranked as top-performing partners.
• Industry Assumption Fallacy: There is far more security variation within industries than between them; the best education sector firms outperform the worst financial sector firms.
• Tech Footprint Neutrality: Top- and bottom-performing organizations have nearly identical distributions of active host counts, proving that scale is not a predictor of security posture.
• Problematic Tech Density: High-risk findings related to the Apache platform are 60.5 times more frequent in bottom-performing organizations than in top ones.
• CMS Patching Burden: Web CMS authentication and application server patching represent the most common and persistent security issues for the entire bottom-performer category.