First-ever study across millions of systems, 200+ countries, and tens of thousands of organizations reveals the severely vulnerable state of the enterprise


Salt Lake City, Utah, April 30, 2019 — Today the Cyentia Institute published the “Internet Risk Surface Report,” a comprehensive study sponsored by RiskRecon detailing the magnitude and complexity of the risk surface that enterprises must manage to achieve good operational and information risk outcomes. The report exposes the true extent of enterprise computing, reaching into the vast array of third-party cloud and hosting providers. The study also lays bare the quality of enterprise cybersecurity risk management across a wide set of industries and geographies.
“Your risk surface is anywhere your ability to operate, your reputation, your assets, your legal obligations, or your regulatory compliance is at risk,” explained Kelly White, RiskRecon’s CEO and co-founder. “The digital transformation has moved the enterprise risk surface well beyond the internal enterprise network, with 65% of all enterprise internet-facing systems hosted with third-party providers. The data show that enterprises are not keeping up, with the security of internally hosted systems being much better managed than third-party hosted systems. This dilemma has now become critical because organizations are failing to understand how to manage their entire risk surface based on the volume of external digital exposure they face.”
“I’m extremely excited about not only this initial report, but also the larger research stream we’ve begun with RiskRecon,” said Wade Baker, founder of Cyentia Institute. “I love any opportunity to learn from data that can fundamentally improve the way we manage cyber risk, and this effort absolutely fits that bill. There’s an incredible amount of valuable insight in this report, and we’re just starting to scratch the surface.”
The “Internet Risk Surface Report” provides a wealth of data, including observations around the internationalization of the internet, a deep dependence on cloud computing, and the risk surface of specific industries.

Key findings include:

  • International supply chain risk management
    • Thirty-two percent of organizations host their data in foreign countries.
    • East Asian and Eastern European countries have nearly 400% higher rate of severe security vulnerabilities than North America and Western Europe.

  • Reliance on the cloud
    • Eighty-four percent of organizations host critical or sensitive assets with third parties.
    • A typical firm has 22 internet-facing hosts, but some maintain over 100,000.
    • Sixty-five percent of hosts sit on infrastructure owned by an external entity.
    • Twenty-seven percent of firms host assets with at least 10 external providers.
    • Overall, organizations are three times as likely to have high-value assets with severe findings off-premise vs. on-premise.

  • Risk surface by industry
    • Every industry has different commerce characteristics, but there are risk commonalities in most groups.
    • The finance industry has the lowest rate of severe vulnerabilities at 3.2%.
    • Public admin and education sectors have a 60% higher rate of critical vulnerabilities than finance.

The concept of internet risk surface, as outlined in the report, provides a foundation for measuring an organization’s exposure to cybercrime, while also providing a new way to understand and implement appropriate security measures.

To download the full Internet Risk Surface Report, visit:

About Cyentia Institute
Cyentia Institute is a Virginia-based cybersecurity research services firm. We deliver high-integrity, high-quality, data-driven research that provides security companies with meaningful marketing content to build mindshare, drive sales, and attain greater visibility in competitive markets. In doing so, we seek to advance cybersecurity knowledge and practice for the community at large. In addition, we curate and publish a library of cybersecurity research and reporting which serves as a vital reference for security decision makers and practitioners worldwide.

About RiskRecon
RiskRecon is the only continuous vendor monitoring solution that delivers risk-prioritized action plans custom-tuned to match your risk priorities, providing the world’s easiest path to understanding and acting on third-party cyber risk. Partner with RiskRecon to build your scalable, third-party risk management program to realize dramatically better risk outcomes. To learn more about RiskRecon’s approach,
request a demo or visit the website at


Connect with RiskRecon:

Twitter: @riskrecon

Media Contact:
Trevor Carver