This blog post covers key takeaways from our 2021 Industry Cyber-Exposure Report (ICER): Fortune 500.
Every major corporation on Earth is a technology company. It is unthinkable that a business that generates billions of dollars in revenue and employs thousands of workers would not have a significant technological investment in their products, processes, and logistics. We rely on fantastically advanced technologies in every aspect of our modern lives. Of course, anyone who has spent any time analyzing these technologies will notice that we are routinely bedeviled with vulnerabilities, especially when it comes to internet-based systems.
As it happens, we have a powerful and proven method to stem the tide of vulnerabilities in major technologies: coordinated vulnerability disclosure (CVD), and a now-standard mechanism to participate in CVD, vulnerability disclosure programs (VDPs).
The presence of a publicly accessible VDP is conspicuously lacking across most of the companies in the Fortune 500, which, in turn, makes it difficult for those companies to ever learn about vulnerabilities in their products and technical infrastructure in a constructive way.
While VDPs are more common today among the highest-revenue companies, the drop-off is rather steep after the top 100 companies, and few of the 21 industries represented in the Fortune 500 have normalized VDPs as a business practice. Without vulnerability disclosure programs, these industries are telegraphing that they do not want to know about their own vulnerabilities, intentionally or not, to their shareholders' and customers' peril.
For this study, we searched for VDPs associated with Fortune 500 companies and flagship brands of those companies, much in the same ..
Support the originator by clicking the read the rest link below.
