Years of investment in cyber security have given Australia’s largest companies a “respectable” security posture that is on par with global counterparts, a team of security researchers has concluded, after extensively probing the ASX 200 companies for soft spots.

Australian financial services, IT, industrial and ‘staples’ companies have the highest average number of exposed Internet ports per company, according to Rapid7’s ASX 200 Attack Surface report, which is based on data collected in October 2022.

Exposed ports provide a foothold for attackers to probe target networks for vulnerabilities – and while many are related to common services like SMB, the services provide relatively low risk overall.

Industrial firms, by contrast, had by far the most exposed high risk ports of any industry, on average, with 33 exposed SSH and RDP ports – which facilitate remote access but are regularly targeted by cyber criminals using automated tools – per company.

The average industrial company has five exposed RDP servers per company, the firm found – each of which can potentially become a vector for cyber criminals to remotely access key services and worm their way into sensitive systems and networks.

Given ongoing efforts to bolster the security of critical infrastructure – and concerns that cyber weaknesses could have devastating consequences – overall improvements in the cyber posture of Australia’s 200 largest companies gave researchers cause for cautious optimism.

“Whilst there’s still definite room for improvement, the overall security posture of ASX 200 companies have measurably improved” since a similar study last year, Rapid7 principal researcher and report author Erick Galinkin said.

This included a “meaningful shift” in email safety over the past two years, with many companies finally implementing the Domain-based Message Authentication, Reporting, and Conformance (DMARC) anti-spoofing standard that prevents cyber criminals from tricking employees with phishing emails from lookalike senders and domains.

Fully 77 per cent of ASX 200 companies “now have at least a valid-error-free DMARC policy”, the report noted – up from 64.4 per cent last year.

A related standard, Domain Name System Security Extensions (DNSSEC), has only been implemented at nine of the ASX 200 companies – although the fact that zero companies had implemented DNSSEC last year, the report noted, makes this low number “an improvement worth acknowledging”.

Despite security improvements overall, gaping holes have persisted: many companies are, for example, failing to keep up with requirements to patch core services like Microsoft Exchange – which is frequently updated by Microsoft and regularly compromised in “high impact remote vulnerabilities” by nation-state groups and ransomware gangs.

Out of 42 ASX 200 companies running Microsoft Exchange on their own servers, Rapid7 found, just four had applied the most recent patches – leaving the other 38 vulnerable to newly discovered vulnerabilities, despite exhortations from the Australian Cyber Security Centre (ACSC) to be more disciplined about patching their systems.

One company’s unpatched Exchange server is still vulnerable to the severe ProxyShell exploit, the security team found, adding that it had contacted the company “since they are likely to have been exploited”.

A barometer of Australia’s cyber security maturity

Monitoring the relative maturity of ASX 200 companies in four key areas – the internet-facing attack surface, web server type and version complexity, Microsoft Exchange patching, and email and domain safety – “surveys factors that provide a clear picture of what an ‘average’ ASX 200 company looks like from the internet,” the report notes.

Tracking the effectiveness of large companies’ security investments will be particularly important in 2023, when cyber criminal ‘scumbags’ – emboldened by the massive hacks of Medibank, Optus, and other companies – are expected to continue their relentless and increasingly automated probing of Australian businesses and databases.

Yet while leaving room for improvement, Rapid7 researchers noted, Australia’s largest companies aren’t necessarily sitting ducks: similar probing of the UK’s FTSE 350 and the United States’ Fortune 500 companies has, the researchers noted, confirmed that “the attack surface of ASX 200 companies in general is on-par with their counterparts” overseas.

That corroborates a recent CompariTech analysis that ranked Australia as the 20th most cyber secure country in the world, overall – and it’s a small vote of confidence in the work of technical teams that are working to follow best practices in companies where executives face potential regulatory and pay intervention for being among the world’s least cyber-minded.