The most profitable companies in the US and European Union (EU) are failing on many cybersecurity measures, putting employees and clients at risk, according to a Wednesday report from High-Tech Bridge.

The report examined the 1,000 largest global companies per the Financial Times (FT)–the FT US 500 and the FT Europe 500–and performed a large-scale discovery and non-intrusive assessment of their external web and mobile applications, SSL certificates, web software, and unprotected cloud storage.

Some 62% of US companies and 78% of EU companies had access to at least one website being sold on the dark web, the report found. These ranged from lists of remote S/FTP access, to RCE and SQL injection vulnerabilities compilations, to login and password pairs being sold among dumps of many other compromised websites.

SEE: Intrusion detection policy (Tech Pro Research)

Shadow, legacy, and abandoned IT remains a crucial issue for major enterprises, the report found: About 80% of the discovered applications in these organizations were unknown to cybersecurity teams.

The 500 US companies had a total of 293,512 external systems that were accessible from the internet–42,549 of which had a live web application, according to the report. This means each US company has an average of 85 applications that can be easily discovered externally and are not protected by two-factor authentication or other security controls.

Nearly half of US companies (45%) have invalid SSL certificates because of untrusted Certification Authority (CA), expiration, or issuance for a different domain name, the report found.

Among discovered web applications, more than 98% of those from US companies had no Web Application Firewall (WAF) filtering enabled, or have it in an overly permissive mode, the report found. Another 27% of US companies have at least one external cloud storage accessible without any authentication from the internet.

GDPR compliance also remains a problem, as 16% of US companies have at least two web applications that allow entry of Personally Identifiable Information (PII) and run either a vulnerable version of SSL/TLS, and/or outdated and vulnerable CMS or other web software, the report found.

“The research has clearly demonstrated that abandoned and unmaintained applications are a plague of today,” Ilia Kolochenko, CEO and founder of High-Tech Bridge, said in the report. “Large organizations have so many intertwined websites, web services and mobile apps that they often forget about a considerable part of them. Legacy applications, personnel turnover, lack of resources, outsourcing and offshoring exacerbate the situation. On the other side, cybercriminals are well organized and very proactive. As soon as a new vulnerability is discovered in a popular CMS – they instantly start its exploitation in the wild, leaving cybersecurity teams virtually with no chance.”

High-Tech Bridge recommends the following five steps to protect your company: Application discovery and inventory, application risk assessment, application risk mitigation planning, application security testing, and vulnerability remediation.

The big takeaways for tech leaders:

  • 62% of US FT 500 companies and 78% of EU FT 500 companies had access to at least one website being sold on the dark web. — High-Tech Bridge, 2018
  • About 80% of the discovered applications in FT 500 organizations were unknown to cybersecurity teams. — High-Tech Bridge, 2018