Some of the most publicized breaches led back to exposed databases or cloud configuration mismanagement. Some security controls, such as web applications firewalls, are deployed with default settings companies leave untouched. The same excuse isn't applicable to other network services, like MySQL.
"The issue is that organizations are failing to implement the basic, longstanding practice of network filtering to limit services to the internet that are necessary and appropriate," Kelly White, founder and CEO of RiskRecon, said in an email. Public websites are just that — meant for the public.