New research reveals that even America’s most trusted companies struggle with basic cybersecurity hygiene, with 94% scoring a D or F in overall cybersecurity posture.
Cybernews researchers found that 46% of these companies are vulnerable due to employees reusing compromised passwords, increasing the risk of credential-stuffing attacks.
The findings highlight systemic cybersecurity issues, echoing previous research on S&P 500 companies with similar high breach rates and poor security scores.
Amid constant warnings about sophisticated AI cyber threats, the most persistent security exposures often trace back to fundamental human errors and neglected digital upkeep. New research underscores this reality, revealing that even America’s most trusted corporate names are struggling with basic cybersecurity hygiene, leaving significant vulnerabilities across their operations.
According to an analysis by cybersecurity researchers at Cybernews, the top 100 U.S. companies deemed “most trusted” (based on this Forbes list) exhibit alarming security weaknesses. The Cybernews Business Digital Index (BDI), which grades companies based on publicly available data and external security scans, found that every single company analyzed had experienced a data breach, and an alarming 94% scored a D or F for their overall cybersecurity posture.
Basic hygiene failures persist: Perhaps most telling is the human factor: Cybernews found that nearly half (46%) of these trusted companies are vulnerable because their employees reuse passwords that have already been compromised in previous breaches. This practice significantly increases the risk of unauthorized access through common credential-stuffing attacks, highlighting a critical failure in internal policy and training.
Beyond passwords, the research identified widespread neglect of fundamental security measures. Secure Sockets Layer/Transport Layer Security (SSL/TLS), essential for encrypting web traffic, was found to be misconfigured across all analyzed companies. System hosting issues, such as poor server setups or outdated infrastructure, plagued 93% of firms, while 89% had web application vulnerabilities – common entry points for attackers. Furthermore, half of the companies struggled with outdated or unpatched software.
Retail and finance critically weak: The sectors arguably requiring the highest levels of security due to the sensitive data they handle – Retail & Consumer, and Financial & Professional Services – performed particularly poorly. Cybernews reports that within these industries, 100% of analyzed companies had suffered data breaches and exhibited SSL/TLS configuration problems. In Retail, 48% scored a D and 50% received an F rating. The Finance sector saw 65% rated D and 22% F, indicating widespread high or critical risk levels that could directly impact consumers.
Trust must be earned: “Being trusted by the public doesn’t mean a company is secure,” Vincentas Baubonis, Head of Security Research at Cybernews, said of their report. “Our findings show that even the most reputable brands are failing basic cybersecurity standards – and that’s a serious concern. Companies must uphold strong digital defenses if they want to truly protect their customers and live up to that trust.”
Baubonis also noted the severe consequences of universal data breaches and SSL/TLS flaws, including potential financial loss, legal action, reputational damage for businesses, and identity theft or fraud for customers.
A pattern of vulnerability: These findings are not isolated. They echo earlier Cybernews research using the same BDI methodology on S&P 500 companies, which found similarly high rates of data breaches (96%) and poor security scores (89% D or F) across major US corporations, suggesting these basic hygiene issues are systemic.
The BDI methodology relies on external assessments across seven dimensions, including breach history, SSL configuration, patching, and web application security, providing a snapshot of externally visible security posture. The consistent failure across different corporate cohorts points to the persistent challenge of embedding fundamental cybersecurity practices, regardless of company size or public reputation.
New research reveals that even America’s most trusted companies struggle with basic cybersecurity hygiene, with 94% scoring a D or F in overall cybersecurity posture.
Cybernews researchers found that 46% of these companies are vulnerable due to employees reusing compromised passwords, increasing the risk of credential-stuffing attacks.
The findings highlight systemic cybersecurity issues, echoing previous research on S&P 500 companies with similar high breach rates and poor security scores.
Cybernews
Amid constant warnings about sophisticated AI cyber threats, the most persistent security exposures often trace back to fundamental human errors and neglected digital upkeep. New research underscores this reality, revealing that even America’s most trusted corporate names are struggling with basic cybersecurity hygiene, leaving significant vulnerabilities across their operations.
According to an analysis by cybersecurity researchers at Cybernews, the top 100 U.S. companies deemed “most trusted” (based on this Forbes list) exhibit alarming security weaknesses. The Cybernews Business Digital Index (BDI), which grades companies based on publicly available data and external security scans, found that every single company analyzed had experienced a data breach, and an alarming 94% scored a D or F for their overall cybersecurity posture.
Basic hygiene failures persist: Perhaps most telling is the human factor: Cybernews found that nearly half (46%) of these trusted companies are vulnerable because their employees reuse passwords that have already been compromised in previous breaches. This practice significantly increases the risk of unauthorized access through common credential-stuffing attacks, highlighting a critical failure in internal policy and training.
Beyond passwords, the research identified widespread neglect of fundamental security measures. Secure Sockets Layer/Transport Layer Security (SSL/TLS), essential for encrypting web traffic, was found to be misconfigured across all analyzed companies. System hosting issues, such as poor server setups or outdated infrastructure, plagued 93% of firms, while 89% had web application vulnerabilities – common entry points for attackers. Furthermore, half of the companies struggled with outdated or unpatched software.
Retail and finance critically weak: The sectors arguably requiring the highest levels of security due to the sensitive data they handle – Retail & Consumer, and Financial & Professional Services – performed particularly poorly. Cybernews reports that within these industries, 100% of analyzed companies had suffered data breaches and exhibited SSL/TLS configuration problems. In Retail, 48% scored a D and 50% received an F rating. The Finance sector saw 65% rated D and 22% F, indicating widespread high or critical risk levels that could directly impact consumers.
Trust must be earned: “Being trusted by the public doesn’t mean a company is secure,” Vincentas Baubonis, Head of Security Research at Cybernews, said of their report. “Our findings show that even the most reputable brands are failing basic cybersecurity standards – and that’s a serious concern. Companies must uphold strong digital defenses if they want to truly protect their customers and live up to that trust.”
Baubonis also noted the severe consequences of universal data breaches and SSL/TLS flaws, including potential financial loss, legal action, reputational damage for businesses, and identity theft or fraud for customers.
A pattern of vulnerability: These findings are not isolated. They echo earlier Cybernews research using the same BDI methodology on S&P 500 companies, which found similarly high rates of data breaches (96%) and poor security scores (89% D or F) across major US corporations, suggesting these basic hygiene issues are systemic.
The BDI methodology relies on external assessments across seven dimensions, including breach history, SSL configuration, patching, and web application security, providing a snapshot of externally visible security posture. The consistent failure across different corporate cohorts points to the persistent challenge of embedding fundamental cybersecurity practices, regardless of company size or public reputation.
© 2025 Bamboo HR LLC. All Rights Reserved. BambooHR® is a registered trademark of Bamboo HR LLC
