Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Industry-First Research From Tenable Calculates External Attack Surface of U.K.'s Largest Organisations

November 24, 2022 · London, UK

Study finds 100% of organisations still rely on a legacy security protocol dating back to 1999

A new study conducted by Tenable®, Inc., the Exposure Management company, has illuminated for the first time ever the immense challenge organisations face identifying and protecting their internet-facing assets. An inventory of the external attack surface of 22 of the U.K.’s largest organisations1 [as listed by the FTSE top 50] were examined on Friday, October 29, 2022. The results show how complex, geographically dispersed, and hybrid these environments have become, and illustrate the sheer scale of the cybersecurity architecture that needs to be secured.

The study revealed that, of the companies examined, most have a sprawling expanse of internet-facing assets2, with an average of 76,600 to identify and protect. One organisation alone has over 500,000 such assets. One striking observation is that 100% of organisations had web-based assets that still support TLS 1.0 [a security protocol first defined in 1999 for establishing encrypted channels over computer networks] that was disabled by Microsoft in September [2022]. Over half (12 companies) had instances of SSL 2.0 - the predecessor to TLS. In addition to the risk of eavesdropping on sensitive internet traffic by adversaries, this is just one example demonstrating how challenging it’s become for organisations with large internet footprints to identify and update outdated technology.

Key Findings:

  • Total Internet-facing Assets: Average 76,600 / Median 50,024
  • Assets Supporting TLS 1.0: Average 3,892 / Median 1,259
  • Assets Supporting TLS 1.1: Average 3,965 / Median 1,321
  • Assets Supporting SSLv2: Average 2 / Median 55
  • Assets Supporting SSLv3: Average 0 / Median 25
  • Number of Countries: Average 51 / Median 45
  • Assets Hosted in the Cloud (Amazon, Microsoft, Google): Average 23% / Median 20%
  • Cloud-Asset Marketshare by Vendor: Amazon (Average 80% / Median 82%), Microsoft (Average 10% / Median 6%), Google (Average 10% / Median 9%),
  • Assets Located or Delivered though the U.K.: Average 11% / Median 5%
  • Assets Located or Delivered though the U.S.: Average 61% / Median 64%

The vast array of internet-facing assets is supported by a complex cloud infrastructure built upon public services, further complicating each organisation’s attack surface2 and making it more difficult to identify, monitor and protect. Amongst the multinational organisations studied, Tenable found that an average 23% of their infrastructure is public cloud3 based. Of that 23%, Amazon Web Services claims the lion’s share, accounting for an average 80% of assets hosted in the cloud, with Microsoft and Google sharing the remainder. This leaves organisations reliant on a third-party to apply the same stringent controls to protect their data and systems.

Looking at the geographical disbursement of these organisations, the study identified that on average, their assets are located in or delivered from 51 different countries. In fact, only 11% of assets are located in or delivered through the UK, with 61% through the US. This has implications from a data protection perspective. GDPR for example, governs any data on EU citizens, even if it travels outside the European Union.

“The infrastructure that underpins organisations today is only vaguely recognisable from three years ago, especially pre-COVID. Internet-facing assets are not just commonplace, but essential for organisations in the modern business world,” said Jeremiah Grossman, Security Strategist, Tenable. “The flipside of this is that any one of these assets is a potential entry point for an adversary into the organisation. Threat actors are probing these openings, looking for any single one that is left insecure so they climb through. As defenders, security professionals need to know what assets they’re protecting in order to secure themselves.”

For further information visit www.tenable.com.

About Tenable:

Tenable® is the Exposure Management company. Approximately 40,000 organizations around the globe rely on Tenable to understand and reduce cyber risk. As the creator of Nessus®, Tenable extended its expertise in vulnerabilities to deliver the world’s first platform to see and secure any digital asset on any computing platform. Tenable customers include approximately 60 percent of the Fortune 500, approximately 40 percent of the Global 2000, and large government agencies. Learn more at tenable.com.

Notes to Editors:

  1. Tenable examined 22 companies, chosen at random from the FTSE Top 50*
  2. In the context of this alert:
  • An asset is a domain name, subdomain, or IP addresses and/or combination thereof of a device connected to the Internet or internal network. An asset may include, but not limited to web servers, name servers, IoT devices, network printers, etc. Example: foo.tld, bar.foo.tld, x.x.x.xs.
  • The Attack Surface is from the network perspective of an adversary, the complete asset inventory of an organisation including all actively listening services (open ports) on each asset.
  • When calculating public cloud deployment, the study examined Amazon Web Services, Google Cloud Platform and Microsoft Azure.


  • Media Contact:

    Tenable PR
    [email protected]

    Stay up to date!

    Subscribe to our email alerts for new press releases.

    Subscribe for press release updates

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

    Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    100 assets

    Choose Your Subscription Option:

    Buy Now

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

    Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    100 assets

    Choose Your Subscription Option:

    Buy Now

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

    Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    100 assets

    Choose Your Subscription Option:

    Buy Now

    Try Tenable Web App Scanning

    Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

    Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

    Buy Tenable Web App Scanning

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    5 FQDNs

    $3,578

    Buy Now

    Try Tenable Lumin

    Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

    Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

    Buy Tenable Lumin

    Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

    Try Tenable Nessus Professional Free

    FREE FOR 7 DAYS

    Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

    NEW - Tenable Nessus Expert
    Now Available

    Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

    Fill out the form below to continue with a Nessus Pro Trial.

    Buy Tenable Nessus Professional

    Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

    Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

    Select Your License

    Buy a multi-year license and save.

    Add Support and Training

    Try Tenable Nessus Expert Free

    FREE FOR 7 DAYS

    Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

    Already have Tenable Nessus Professional?
    Upgrade to Nessus Expert free for 7 days.

    Buy Tenable Nessus Expert

    Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

    Select Your License

    Buy a multi-year license and save more.

    Add Support and Training