Staying on top of corporate security trends may seem like a hassle, but it actually has great benefits for your organization. Understanding security trends helps businesses benchmark their performance—including within their specific industry—and strengthen their security posture to align with the best performers.
UpGuard’s State of Cybersecurity: S&P 500 2025 Report evaluates the cybersecurity performance of S&P 500 companies, providing insights into industry trends, security solutions, and benchmarks across the largest companies in the United States. Below, we’ve got a breakdown of the top performers, the most improved, and the risks that should be on your organization’s radar—all designed to help your business stay ahead of the cybersecurity curve.
S&P 500 State of Cybersecurity 2025
We analyze the impact of key security trends that will affect the S&P 500 in 2025.
Key findings from the S&P 500 Security Ratings Index
Our research into the cybersecurity performance of the S&P 500 index revealed some key findings around growing areas of cyber risk, illustrating just how rapidly the cyber threat landscape is changing. Here are a few of our key findings:
- Third-party impacts go beyond just data breaches and now include major outages and attacks, including the CrowdStrike outage, which affected every sector of the S&P 500.
- The number of exploited web vulnerabilities is likely to grow, with 66% of S&P 500 companies using products with known exploitations.
- AI risk is everywhere, with 100% of S&P 500 companies using artificial intelligence and another 69% heavily invested in AI.
Alongside these key findings, our research dove into the individual cybersecurity performance of each S&P 500 company. Utilizing data from the UpGuard platform, which scans publicly available information to evaluate a company’s security posture, our team identified how well each organization manages key risk areas, such as data breaches, outages, vulnerabilities, and artificial intelligence.
Our team aggregates the data and assigns each company a Security Rating, with lower scores given more weight to reflect the importance of addressing weaknesses. Each company’s score is calculated on a scale of 0 to 950 and grouped into letter grades, where an ‘A’ represents strong cybersecurity performance. The report evaluates key risk metrics and provides a year-over-year comparison to assess the overall security performance of the S&P 500.
So, how did the companies stack up? Let’s start by exploring the top performers who ranked highest across various industries.
Top performers: Industry leaders in cybersecurity readiness
It’s not surprising that a majority of our top performers come from the technology industry. Tech organizations are typically primed to protect themselves against cyberattacks since most of their product information, data, and business operations are digitally based. However, we also have a financial company in our top performers, showcasing how stringent regulations in a specific industry force organizations to maintain a sustainable cybersecurity posture.
Our top performers scored close to 900, a very strong position reflecting the wide-ranging implementation and configuration of proper edge security. These strategies include phishing protection, strong encryption practices, properly hardened applications and websites, and having only necessary network ports open to the Internet.
Microsoft
Microsoft, a tech powerhouse, maintained a strong overall score of 883, which included a 64-point increase from their previous year’s score of 819. They are also a top performer in the information technology sector, ranking in the top three of all information technology companies across the S&P 500. Similar to other high-ranking technology companies, Microsoft earned its high score by deploying strong attack surface management, minimizing data leakage, and prioritizing network security.
Information technology should adopt standardized security practices, not only because the problem belongs to this industry but because securing underlying technology is essential to protect all the upstream businesses and individuals that rely on it.
Recommended Reading: Free Full Security Report for Microsoft
Uber
While Uber is often considered a technology company, it actually belongs to the industrial sector in the S&P 500 and ranks close to the top of that industry. Uber scored 881 on our security rankings, demonstrating a dedication to its cybersecurity practices, which also resulted in an increase of 126 points from its previous score of 755.
Alongside other industrial companies, Uber’s attack surface, network, and DNS security remained strong, contributing to its security score. Additionally, Uber and other industrial organizations had a significant jump in email security scores, increasing by 98 points (the largest of any sector). As more and more companies rely on email, it is vital to incorporate anti-phishing mechanisms that help protect sensitive control systems and other crucial infrastructure. Phishing attacks are one of the most common ways to gain access to internal networks—and can halt a company’s operations in the blink of an eye.
Recommended Reading: Free Full Security Report for Uber
PNC Financial
PNC Financial, a bank holding company and financial services corporation based in Pittsburgh, scored an impressive 894 on our security ratings index, a 53-point increase from its previous score of 851. The financial services industry actually had the highest industry score across the S&P 500, mainly due to robust compliance standards that help keep organizations protected and up to date.
Similar to the industrial sector, PNC Financial and other financial services companies are improving their email security scores by focusing on anti-phishing features and ensuring prompt responses to email-based cyber incidents. Given the large volumes of data that financial institutions handle, PNC and others in the industry also employ strong encryption practices. Although the financial sector's encryption score is only in the 700s, it is the only industry to achieve that score, while all other sectors scored in the 600s or lower.
Recommended Reading: Free Full Security Report for PNC Financial
S&P 500 State of Cybersecurity 2025
We analyze the impact of key security trends that will affect the S&P 500 in 2025.
Most improved: Companies making big gains in security posture
Cybersecurity is constantly evolving, and that means companies need to continue to improve over time to stay ahead of risks. Our research identified multiple companies making substantial strides toward improving their security posture while minimizing cybersecurity risk, demonstrating it’s never too late to start boosting your cybersecurity efforts.
What drove these improvements? Companies are now under increased regulatory pressure to develop stronger risk management controls, which often leads to enhanced incident response frameworks. Many organizations are also investing more in cybersecurity solutions and personnel to help manage the growing need for strong security technology.
Unfortunately, major increases in security scores were also the result of devasting cyber incidents, which forced organizations to deploy security controls rapidly. One example is Caeser’s Entertainment, which suffered a third-party social-engineering attack impacting tens of thousands of individuals. As a result, its security rating increased by over 45% from 2023 to 2024.
Below, we’ll cover two companies in the S&P 500 that showcased solid improvement in their security ratings and, as a result, stronger protections against cyber risk.
Axon Enterprise
In 2023, Axon Enterprise scored 687 on our security ratings index. However, in 2024, their security rating jumped by over 24% to 853. This increase now elevates them into the range of our top performers and demonstrates a strong commitment to cybersecurity.
While a score in the high 600s does reflect some critical protections across Axon’s attack surface, the jump into the mid-800s reveals continued tweaking and improvement of their existing process and systems. This change could be due to updated vendor assessments, supply chain protections, and new cloud security controls. Like other industrial companies, Axon must also dedicate themselves to strong email security, including anti-phishing mechanisms.
Applied Materials
Even organizations with strong security postures focus on continuous improvement as the cyber threat landscape grows. Applied Materials increased their already good score of 704 by almost 20% to achieve a strong 840 this year, demonstrating a continued commitment to cybersecurity practices.
Applied Materials supplies equipment, services, and software for technology manufacturing, making it a vital part of the supply chain for many large manufacturing organizations. By increasing its already strong security score, Applied Materials demonstrates a continued dedication to strong security measures, reducing significant risk and protecting itself from vulnerabilities that may affect its clients as well.
Biggest concerns: Where companies are falling behind
While some S&P 500 companies have made notable improvements in their security posture, many still face critical gaps that leave them vulnerable to cyber threats. Understanding this risk forecast is essential for companies aiming to strengthen their defenses and meet rising regulatory standards.
Poor encryption practices
Encryption is a fundamental layer of defense in protecting sensitive data, yet many companies in the S&P 500 still lack comprehensive encryption protocols. End-to-end encryption ensures that data remains protected during transmission and storage, but inconsistent implementation leaves critical information exposed to interception. Threat actors can exploit these gaps to access sensitive data, including financial records and healthcare information. Strengthening encryption practices is essential for safeguarding confidential data, enhancing information security, and maintaining customer trust.
Phishing vulnerabilities
Phishing remains one of the most effective methods for breaching corporate networks, yet many companies continue to struggle with prevention. Weak employee training and inadequate email authentication protocols (such as SPF, DKIM, and DMARC) make it easier for attackers to impersonate legitimate sources and deceive employees into revealing sensitive information or clicking malicious links to deploy ransomware. The rise of sophisticated social engineering tactics increases the urgency for companies to enhance phishing defenses through better employee training and stronger email verification measures.
Outdated security practices
Relying on legacy systems and outdated software creates significant security gaps. Unpatched vulnerabilities, poor configuration management, and unsupported software versions leave businesses exposed to known exploits. Threat actors often target these weaknesses with automated scanning tools, allowing them to identify and breach outdated systems quickly. Modernizing infrastructure, implementing automated patching processes, and conducting regular system audits are crucial for closing these security gaps and reducing the attack surface.
Benchmarking against industry leaders: What businesses can learn
The top performers in the S&P 500 all demonstrate that strong cybersecurity is achievable across industries. Businesses can learn from these leaders and apply similar methods to strengthen their defenses, including the following strategies:
- Prioritize attack surface management: Microsoft’s high score reflects its investment in attack surface management, minimizing data exposure, and securing open network ports. Businesses should adopt similar strategies to identify and close security gaps in real time.
- Strengthen email security and phishing defenses: Uber’s significant improvement in email security shows the importance of anti-phishing mechanisms and employee training. Implementing email authentication protocols (like SPF, DKIM, and DMARC) and conducting regular phishing simulations can reduce vulnerability to social engineering attacks.
- Enhance encryption and data protection: PNC Financial’s success stems from strong encryption practices, which are vital for protecting sensitive financial data. Businesses across all industries should invest in end-to-end encryption and secure data storage to prevent unauthorized access.
- Adapt to industry-specific threats and regulations: The financial sector’s strong overall performance reflects the impact of strict regulatory requirements. Businesses should stay informed about industry-specific regulations and implement security frameworks that align with compliance standards.
How UpGuard Breach Risk can help
UpGuard’s State of Cybersecurity: S&P 500 2025 Report highlights a divide between companies excelling in cybersecurity and those facing significant gaps. These corporate security trends are an excellent place to benchmark your organization against, identifying areas of strength and those needing improvement.
If you want to align your organization with top security performers in the S&P 500, consider UpGuard Breach Risk, our all-in-one attack surface management tool. From daily scanning to faster remediation, Breach Risk is focused on identifying and reducing risks seamlessly. Additional features include:
- Data leak detection: Protect your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches
- Continuous monitoring: Get real-time information and manage exposures, including domains, IPs, and employee credentials
- Attack surface reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting
- Shared security profile: Eliminate having to answer security questionnaires by creating an UpGuard Trust Page
- Workflows and waivers: Simplify and accelerate how you remediate issues, waive risks, and respond to security queries
- Reporting and insights: Access tailor-made reports for different stakeholders and view information about your external attack surface
Explore how UpGuard Breach Risk can help protect your business at https://www.upguard.com/contact-sales.
