Overview

Sentria has undertaken a limited industry-by-industry review to outline a common issue within cybersecurity – businesses know their cybersecurity requires attention, but they do not know where to begin.

By looking across sectors, we understand common and pervasive cybersecurity issues as well as allowing businesses to understand where they stand in comparison to their peers.

Sentria exclusively uses Cyber Tzar to analyse industries, using automated static web code analysis to generate a first-level security score. The presence of vulnerabilities is weighted into a single score using industry-accepted rankings from NIST, MITRE and OWASP, amongst other technical sources.

Cyber Tzar’s score maps to the following general advice statements:

  • 1 – 400 requires immediate attention, with high likelihood of identification by cyber criminals
  • 400 – 700 requires urgent attention due to the likely presence of high impact vulnerabilities
  • 700 – 900 has near-term action recommended, subject to caveats
  • 900 – 1000 has periodic review recommended, subject to caveats

 

Both Sentria and Cyber Tzar provide caveats related to the limitations of static code scanning (used for industry assessment) and the dynamic code (penetration) scanning required for a full security test. High security scores on a static code test may differ significantly from dynamic code testing addressing forms, account-accessed areas and other sizeable areas of website vulnerability.

Sentria will periodically refresh existing industry analysis, and extend the number of industries under analysis to further understand trends across websites and sectors in understanding and addressing cybersecurity at the root level.

Web Development Agencies

Sentria assessed the Web Developer industry by assessing website from the Top 100 Australian Web Development Agencies as published by the Manifest (2020 list used) – part of the cluch.co group.

Between industries under our analysis, web development agencies performed equal best. However our analysis shows a majority of agencies within our classification – requiring urgent attention.

Financial Services

According to data from Imperva Research Labs web application attacks on the financial services industry increased 38% between January and June 2021, with attacks becoming bigger and more consistent, particularly in Australia, Singapore and broader South-East Asia.

Sentria assessed the Australian Financial Review (AFR) Top 100 Accountancy Firms List (2020). The list covers large to small enterprises, and takes in sites ranging from ‘brochureware’ through to sophisticated client service sites.

Our analysis indicates that despite the sensitivity of the sector, there is a very wide range of performance cybersecurity vulnerabilities.

E-Commerce

Sentria assessed the 2020 Inside Retail ‘Top 50 People in e-Commerce’ list as well as other online lists including the Store Leads App.

Our analysis indicates that the average of this group was higher than other analysed industries. Despite this, over 50% of sites analysed with static code analysis were readily open to data breaches. The presence of a number of sites with very poor security (1-400 range) is alarming given the requirement of all sites to deal with personal and financial information of customers

Food Manufacturing

Sentria selected a range of food manufacturing businesses as an example of businesses that may need to provide supply chain security, and where a successful cyberattack may critically impact the broader economy.

Our analysis indicates a significant issue in addressing cybersecurity within business websites. Understanding the broader impact requires business-by-business dynamic code (penetration) testing, providing more detailed insight into supply chain links within websites.

Charities / NFP

Not-for-profit (NFP) and charity organisations are not obvious targets for cyberattack, however many of these sites are open for online donations, collection of personally identifiable information (PII) meaning they are a means of primary and secondary cybercrime.

Our analysis of NFPs and charities indicated a substantial need to address website cybersecurity. Sentria anticipates further needs within this sector with a full analysis of information capture and other dynamic code vulnerabilities