The education sector tops the list of industries with the most vulnerable cloud assets, APIs and web applications, according to a new study from CyCognito.
The security vendor analyzed a random sample of two million internet-exposed assets between January and June, simulating real-world attacker behavior including:
- Black-box pen testing using over 90,000 exploit modules, credential stuffing simulations, data exposure detection and more
- Dynamic application security testing to spot runtime web app vulnerabilities
- Active vulnerability scanning to detect unpatched CVEs, misconfigurations and exposed assets
The research revealed that, across all sectors, 14% of cloud assets, 21% of APIs and 20% of web apps were vulnerable to compromise. It claimed the latter two categories were more likely to be vulnerable due to shadow IT and third-party integrations which make them “easy to introduce and hard to govern.”
However, it was the education sector that topped the list, with almost a third (31%) of assets classed as vulnerable, rising to 38% of APIs and 35% of web apps.
CyCognito blamed this on “rising digital adoption, limited security investment, and sprawling infrastructure.”
Rounding out the top five were professional services (28%), retail (27%), government (26%) and media (21%).
Read more about cyber-attacks in the education sector: 73% of UK Education Sector Hit by Cyber-Attacks in Past Five Years
“Notably, each of these industries carries a distinct risk signature. For education, it’s often the concentration of sensitive personal data on undermanaged and outdated systems. For retail, it’s often the reliance on interconnected vendors and e-commerce platforms that expand the attack surface,” said CyCognito data scientist, Zohar Venturero.
“For government systems, it is often the combination of legacy technology and publicly exposed services that create points of vulnerability. Professional services face compounded exposure due to client-specific environments and asset sprawl. And media’s drive for publishing velocity often outpaces governance, leaving APIs and CMS platforms as recurring weak points.”
Context is Critical
To manage such exposures effectively, organizations must understand the context of who owns the asset, what it does and how attackers view it in the context of a broader network, Venturero continued.
“While on paper two industries might show similar percentages of vulnerabilities, across one or more asset types, the type of damage those could cause varies widely. For example, an exposed university app might leak vast amounts of personally identifiable information (PII), triggering reputational damage, regulatory violations, and public backlash,” she explained.
“As serious as that is, the impact might be dwarfed by a vulnerable edge device in a telecom or government network, where exploitation might serve as a pivot point for lateral movement, privilege escalation, and long-dwell attacks that quietly compromise critical infrastructure from the inside out.”
