Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Industry-First Research From Tenable Calculates External Attack Surface of U.K.'s Largest Organisations

November 24, 2022

London, UK

Study finds 100% of organisations still rely on a legacy security protocol dating back to 1999

A new study conducted by Tenable®, Inc., the Exposure Management company, has illuminated for the first time ever the immense challenge organisations face identifying and protecting their internet-facing assets. An inventory of the external attack surface of 22 of the U.K.’s largest organisations1 [as listed by the FTSE top 50] were examined on Friday, October 29, 2022. The results show how complex, geographically dispersed, and hybrid these environments have become, and illustrate the sheer scale of the cybersecurity architecture that needs to be secured.

The study revealed that, of the companies examined, most have a sprawling expanse of internet-facing assets2, with an average of 76,600 to identify and protect. One organisation alone has over 500,000 such assets. One striking observation is that 100% of organisations had web-based assets that still support TLS 1.0 [a security protocol first defined in 1999 for establishing encrypted channels over computer networks] that was disabled by Microsoft in September [2022]. Over half (12 companies) had instances of SSL 2.0 - the predecessor to TLS. In addition to the risk of eavesdropping on sensitive internet traffic by adversaries, this is just one example demonstrating how challenging it’s become for organisations with large internet footprints to identify and update outdated technology.

Key Findings:

  • Total Internet-facing Assets: Average 76,600 / Median 50,024
  • Assets Supporting TLS 1.0: Average 3,892 / Median 1,259
  • Assets Supporting TLS 1.1: Average 3,965 / Median 1,321
  • Assets Supporting SSLv2: Average 2 / Median 55
  • Assets Supporting SSLv3: Average 0 / Median 25
  • Number of Countries: Average 51 / Median 45
  • Assets Hosted in the Cloud (Amazon, Microsoft, Google): Average 23% / Median 20%
  • Cloud-Asset Marketshare by Vendor: Amazon (Average 80% / Median 82%), Microsoft (Average 10% / Median 6%), Google (Average 10% / Median 9%),
  • Assets Located or Delivered though the U.K.: Average 11% / Median 5%
  • Assets Located or Delivered though the U.S.: Average 61% / Median 64%

The vast array of internet-facing assets is supported by a complex cloud infrastructure built upon public services, further complicating each organisation’s attack surface2 and making it more difficult to identify, monitor and protect. Amongst the multinational organisations studied, Tenable found that an average 23% of their infrastructure is public cloud3 based. Of that 23%, Amazon Web Services claims the lion’s share, accounting for an average 80% of assets hosted in the cloud, with Microsoft and Google sharing the remainder. This leaves organisations reliant on a third-party to apply the same stringent controls to protect their data and systems.

Looking at the geographical disbursement of these organisations, the study identified that on average, their assets are located in or delivered from 51 different countries. In fact, only 11% of assets are located in or delivered through the UK, with 61% through the US. This has implications from a data protection perspective. GDPR for example, governs any data on EU citizens, even if it travels outside the European Union.

“The infrastructure that underpins organisations today is only vaguely recognisable from three years ago, especially pre-COVID. Internet-facing assets are not just commonplace, but essential for organisations in the modern business world,” said Jeremiah Grossman, Security Strategist, Tenable. “The flipside of this is that any one of these assets is a potential entry point for an adversary into the organisation. Threat actors are probing these openings, looking for any single one that is left insecure so they climb through. As defenders, security professionals need to know what assets they’re protecting in order to secure themselves.”

For further information visit www.tenable.com.

About Tenable:

Tenable® is the Exposure Management company. Approximately 40,000 organizations around the globe rely on Tenable to understand and reduce cyber risk. As the creator of Nessus®, Tenable extended its expertise in vulnerabilities to deliver the world’s first platform to see and secure any digital asset on any computing platform. Tenable customers include approximately 60 percent of the Fortune 500, approximately 40 percent of the Global 2000, and large government agencies. Learn more at tenable.com.

Notes to Editors:

  1. Tenable examined 22 companies, chosen at random from the FTSE Top 50*
  2. In the context of this alert:
  • An asset is a domain name, subdomain, or IP addresses and/or combination thereof of a device connected to the Internet or internal network. An asset may include, but not limited to web servers, name servers, IoT devices, network printers, etc. Example: foo.tld, bar.foo.tld, x.x.x.xs.
  • The Attack Surface is from the network perspective of an adversary, the complete asset inventory of an organisation including all actively listening services (open ports) on each asset.
  • When calculating public cloud deployment, the study examined Amazon Web Services, Google Cloud Platform and Microsoft Azure.


  • Media Contact:

    Tenable PR
    [email protected]

    Stay up to date!

    Subscribe to our email alerts for new press releases.

    Subscribe for press release updates

    tenable.io

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

    Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

    tenable.io BUY

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    65 assets

    Choose Your Subscription Option:

    Buy Now

    Try Nessus Professional Free

    FREE FOR 7 DAYS

    Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

    Buy Nessus Professional

    Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

    Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

    Select Your License

    Buy a multi-year license and save.

    Add Support and Training

    Tenable.io

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

    Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

    Tenable.io BUY

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    65 assets

    Choose Your Subscription Option:

    Buy Now

    Try Tenable.io Web Application Scanning

    Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

    Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

    Buy Tenable.io Web Application Scanning

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    5 FQDNs

    $3,578

    Buy Now

    Try Tenable.io Container Security

    Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

    Buy Tenable.io Container Security

    Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

    Try Tenable Lumin

    Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

    Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

    Buy Tenable Lumin

    Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

    Try Tenable.cs

    Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

    Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

    Contact a Sales Rep to Buy Tenable.cs

    Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

    Try Nessus Expert Free

    FREE FOR 7 DAYS

    Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

    Already have Nessus Professional?
    Upgrade to Nessus Expert free for 7 days.

    Buy Nessus Expert

    Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

    Select Your License

    Promotional pricing extended until February 28th.
    Buy a multi-year license and save more.

    Add Support and Training