AI, Exploits, and Third-Party Risk: What’s Really Happening Across the S&P 500?
Register Now
Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Press release

Alarming gaps reveal nearly half of ASX 200 companies vulnerable to phishing attacks, says UpGuard

UpGuard Team
UpGuard Team
November 19, 2024

The State of Cybersecurity 2024 | ASX 200  finds that while the overall cyber resilience of Australian organisations holds strong, some of the country’s largest corporations are struggling to keep pace with the evolving threat landscape

SYDNEY, AUSTRALIA — 19 NOVEMBER 2024 — UpGuard, the global leader in cybersecurity ratings and risk management, has unveiled its 2024 ASX 200 Security Report, revealing that sectors such as Energy and Consumer Discretionary—key drivers of the national economy—are struggling to keep pace with evolving cyber threats as the Australian government rolls out stricter data privacy regulations. 

While the report shows an overall improvement in security postures among Australia’s top listed companies, with average scores rising from 759 in 2023 to 773 (out of 950) in 2024, significant vulnerabilities persist in critical sectors like Healthcare, which recorded an average score of 763, and Utilities, which has seen only a 2-point increase. 

The report, which audits the security standards of Australia’s largest 200 companies by market capitalisation across email, networks, website, and overall security, found that while sectors like Materials and Real Estate have made progress, 46% of ASX 200 companies still lack DMARC (Domain-based Message Authentication, Reporting & Conformance) policies, leaving them vulnerable to phishing—a common entry point for larger breaches. Additionally, 29% of these companies operate websites without any encryption, raising serious concerns about data security in critical industries.

“As some of the largest companies in Australia, members of the ASX 200 have a responsibility to maintain robust cybersecurity standards, particularly firms that are critical to the Australian way of life and the health of the economy at large,” said UpGuard Head of Research and Insights, Greg Pollock. 

Key findings from the 2024 ASX 200 Security Report:

  • 9 of the top 10 most common risks to ASX 200 companies involve website security
  • Materials, Communication Services and Real Estate improved the most with 30+ point gains.
  • Energy and Consumer Discretionary sectors dropped 12 points and 14 points respectively.
  • 29 companies on the ASX 200 have perfect email scores. These organisations have managed to establish effective SPF and DMARC policies across their domains.
  • The Information Technology sector increased its average score by 20 points from last year, bringing it up over 800. Much of this improvement was made in the email vector, with a gain of 123 points

“Many organisations still lack fundamental protections in critical areas like their supply chain and email ecosystems, despite high-profile breaches such as Optus, Latitude Financial, and Medibank in recent years,” said Greg Pollock, UpGuard Research and Insights. “These gaps leave businesses exposed to serious threats, from phishing attacks to unauthorised data access and identity fraud, compromising both their operations and customer trust. This isn’t just about compliance; it’s about building resilience and maintaining trust in an increasingly hostile digital landscape.” 

The 2024 report also highlights significant website and network security concerns among ASX 200 companies. Nine of the top 10 most common risks to ASX 200 companies involve website security, with almost a quarter (24%) using expired or invalid certificates and 50% relying on weak encryption methods—risks that are most prominent in the Financial Services, Manufacturing, Insurance, and Energy & Utilities sectors. Network vulnerabilities are also a concern, with 55% of companies exposed to risks such as open FTP ports, which pose critical threats if left unaddressed.

“The recent CrowdStrike outage serves as a reminder that even well-prepared companies can face disruption,” added Pollock. “When incidents occur, they ripple through entire supply chains, with impacts that extend beyond the company itself to affect the national economy and security. Regulations alone can’t do the job—it's up to companies to roll up their sleeves, close those lingering security gaps, and stay on their toes as new threats emerge. It’s this kind of continuous effort that will carry us through the challenges of 2025 and beyond.”

Recommendations for companies: 

  1. Improve encryption practices
    • Inventory and decommission outdated internet-facing systems.
    • Regularly update certificates to current encryption standards (e.g., TLS 1.3).
    • Enforce encrypted connections and replace unencrypted services like FTP with secure alternatives.
  2. Improve phishing protection
    • Set up SPF, DKIM, and properly configured DMARC policies to block fraudulent emails.
    • Ensure DMARC applies to all subdomains and rejects unauthorised emails.
  3. User education
    • Conduct regular phishing training and run test phishing scenarios.
    • Establish clear protocols for handling sensitive information to reduce risks.

END

NOTES TO EDITORS

  • Data sourced from public records collected between May 2023 and August 2024 with insights developed using UpGuard’s proprietary cyber risk assessment tools. 
  • All data and insights have been validated by cyber security and data experts. 
  • A full copy of the ASX 200 Security Report can be found HERE

METHODOLOGY

This report draws on data from the UpGuard platform, which scans publicly available information to evaluate the security posture of ASX 200 companies. The data highlights how well these organisations manage key risk areas, such as email security, website security, and network security, all of which are critical in preventing cyber threats. UpGuard assigns a Security Rating by analysing various risk factors, with lower scores given more weight to reflect the importance of addressing weaknesses. Each company’s score is calculated on a scale of 0 to 950 and grouped into letter grades, where an ‘A’ represents strong cybersecurity performance. The report assesses 10 risk categories and includes a year-over-year comparison to assess the overall security performance of the ASX 200.

ABOUT UPGUARD

Born in Hobart, Australia and scaled in Silicon Valley, UpGuard is a cybersecurity platform that helps global organisations prevent data breaches, monitor third-party vendors, and improve their security posture. Using proprietary security ratings, world-class data leak detection capabilities, and powerful remediation workflows, UpGuard proactively identifies security vulnerabilities for organisations of all sizes.

PRESS CONTACT

Charlotte Hartley-Wilson
PR Manager 
charlotte.hartley-wilson@upguard.com

Deliver icon

Sign up for our newsletter

Stay up-to-date on everything UpGuard with our monthly newsletter, full of product updates, company highlights, free cybersecurity resources, and more.

UpGuard blog

Learn about the latest issues in cybersecurity.
UpGuard logo
Remediation Made Easy: Reducing Risks and Driving Vendor Action
Abstract image background

Remediation Made Easy: Reducing Risks and Driving Vendor Action

Is your security team lost in the chaos of managing vendor remediation? Learn how UpGuard’s AI can help.
Nicholas Sollitto
Nicholas Sollitto
March 26, 2025
UpGuard logo
Evidence Analysis: Unlocking Insights for Stronger Security Posture
Abstract image background

Evidence Analysis: Unlocking Insights for Stronger Security Posture

Is sorting through mountains of vendor information weighing your team down? Learn how UpGuard's AI can help you solve this and other inefficiencies.
Nicholas Sollitto
Nicholas Sollitto
March 13, 2025
UpGuard logo
Vendor Responsiveness Solved: Soothing Your Third-Party Aches
Abstract image background

Vendor Responsiveness Solved: Soothing Your Third-Party Aches

Is waiting on vendor responses slowing down your risk assessments? Learn how UpGuard's AI can help you solve this and other inefficiencies.
Nicholas Sollitto
Nicholas Sollitto
March 6, 2025
UpGuard logo
Cast a Wider Net: UpGuard Now Scans 5x More Sources
Abstract image background

Cast a Wider Net: UpGuard Now Scans 5x More Sources

Introducing UpGuard’s enhanced news and incident coverage. 500% better coverage to keep you ahead of the latest security threats.
UpGuard Team
UpGuard Team
January 16, 2025
UpGuard logo
How to Overcome the Security Questionnaire Burden
Abstract image background

How to Overcome the Security Questionnaire Burden

Explore how Trust Exchange is revolutionizing the security questionnaire process, freeing security teams from the burden of repetitive, manual tasks.
Nicholas Sollitto
Nicholas Sollitto
January 16, 2025
UpGuard logo
UpGuard’s Updated Cyber Risk Ratings
Abstract image background

UpGuard’s Updated Cyber Risk Ratings

Discover UpGuard's updates to its cyber risk ratings, including enhanced risk categorization and an improved scoring algorithm.
Nicholas Sollitto
Nicholas Sollitto
January 16, 2025
View all blog posts
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Contact sales
Free demo
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Free score
Website Security scan resultsWebsite Security scan rating
UpGuard logo
UpGuard is a complete third-party risk and attack surface management platform.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Products
Tools
Company
Insights
@2025 UpGuard, Inc.
Research GuidelinesPlatform Terms & ConditionsWebsite Terms & ConditionsPrivacyCookies