UpGuard recently published its State of Cybersecurity 2025 | S&P 500 Report, highlighting cybersecurity trends of the leading industries throughout the United States. Alongside reviewing the most impactful incidents of 2024, the report also details which industries are leading (and which are lagging) in their cybersecurity measures and risk management.
With growing cyber threats from AI and software supply chain attacks on the rise, maintaining a strong cybersecurity posture is more crucial than ever. Read on to explore our key findings from the report, including how you can learn from top-performing industries to improve your organization’s cybersecurity posture.
High-risk sectors: Finance, information technology, and industrials
Our research revealed that web vulnerabilities have continued to grow, and many companies are using products with these known vulnerabilities, which may or may not be patched. Our research identified:
- 66% of companies in the S&P 500 use products with exploited vulnerabilities.
- 49% of companies use one of the 15 most routinely exploited products, which CISA identifies.
- There are currently 2,135 total instances of known exploited products across the S&P 500.
The industries with the most companies using these products were finance, information technology, and industrials, which we’ve identified as the highest-risk sectors.
Finance
The financial industry is one of the most high-risk sectors for cyberattacks, mainly because it has high-value targets (sensitive information regarding financials) that threat actors are motivated to exploit. However, our research also identified that the financial sector remains the highest-scoring industry among S&P financial companies. Strict regulatory requirements and required audits help keep financial institutions up-to-date and protected against data breaches and ransomware attacks.
Healthcare
The healthcare sector handles vast amounts of sensitive data and patient data, and its widespread adoption of third-party vendors makes it a huge target for third-party data breaches and supply chain attacks. Our research unveiled that the healthcare industry’s attack surface has increased, and email and encryption security remains a major threat to organizations. Considering these providers routinely handle HIPAA-covered data, healthcare organizations must take steps to increase their data security to prevent protected information from being exposed to cybercriminals.
Industrials
Similar to the financial industry, industrials have a large attack surface with high-value targets that hackers seek to exploit. Many organizations in this industry handle sensitive data, such as addresses and credit card information—making them a prime target for cybercrime and insider threats. In our report, Industrials made major improvements to email security, such as anti-phishing mechanisms that help boost their defense against cyber incidents. This finding coincides with the industry’s strong attack surface, network, and DNS security measures.
Encryption challenges: Utilities and energy sectors
Encryption is a common cybersecurity best practice that protects data both at rest and in transit. Industries that handle large amounts of data must implement security controls like encryption to prevent unauthorized access to customer data and sensitive information. Of the industries scored in our report, both the utilities and energy sectors came up short in their encryption practices, identifying areas of improvement for these organizations’ data protection protocols.
The utility sector showed a minor improvement in its network and encryption postures, but with a low encryption score, it still presents a risk throughout the entire sector. Similarly, security postures in the energy sector improved slightly, but their encryption posture lags significantly behind.
Utilities and energy industries house critical infrastructure, making them prime targets for nation-state cyber threats. Poor encryption can lead to major disruptions, such as power grid downtime. Organizations in these industries should prioritize stronger encryption protocols and advanced threat detection mechanisms to mitigate these cybersecurity risks and enhance national security.
Email security gaps: Real estate and consumer staples
One of the biggest targets for cybersecurity threats is email due to its prevalence across almost every industry. Phishing attacks, in particular, are a common type of social engineering scam that takes advantage of human error. Over time, phishing has become almost impossible to decipher without the proper training.
Our report identified two industries with significant email security gaps: real estate and consumer staples, where email communication is primarily used between businesses and consumers.
Real estate scored the lowest of all industry sectors for email security, leading to a high-risk vector where phishing attacks are more likely to succeed. Consumer staples, on the other hand, improved their email security score slightly from the previous year but are still at risk for phishing attacks due to their reliance on email communication.
Phishing and email-based attacks remain the leading causes of data breaches, with a single compromised email causing widespread financial losses and reputational damage. Organizations in the real estate and consumer staples sector should implement robust email authentical protocols, access controls, and employee training programs to mitigate phishing risks.
Lessons from top-performing industries
Our research also identified top-performing industries, with organizations scoring into high positions that reflect wide-ranging cybersecurity implementation and configuration of proper edge security. Financial services and information technology businesses are leading the way, both of which landed at least three organizations in the top ten scoring companies.
Even if your organization is not in these industries, there are valuable lessons to learn from these top performers.
Financial services leaders
The risk of cyberattacks in the financial sector is always present. Organizations in every sector, from government agencies to educational institutions, utilize banks and other financial services to manage their business operations. With a risk level this high, these organizations must proactively secure their operations through a variety of cybersecurity strategies.
These measures include phishing protection, strong encryption practices, multi-factor authentication, and properly hardened apps and websites. In our report, the financial industry scored highest on patch management and data leakage security, reflecting a dedication to protecting their assets. High-scoring financial companies also prioritized attack surface and network security, indicating an awareness of additional attack vectors that could impact their organizations.
Recommended reading: 8 Ways Finance Companies Can Prevent Data Leaks
Information technology
Information technology companies handle both sensitive data and intellectual property, which, if breached, can lead to devasting consequences.
IT businesses can provide functionality and automation tools for organizations, making them critical targets for malicious actors seeking to dismantle companies through ransomware or malware. Continuous monitoring of attack surfaces and third-party vendors helps alleviate this risk. Our research identified attack surface management and network security as two of the highest-scoring areas, indicating a focus on vulnerable areas. Additionally, IT organizations prioritized patch management and data leakage security, showcasing an awareness of other high-risk areas hackers may target in future cyberattacks.
Recommended reading: Why is the Tech Sector a Target for Cyber Attacks?
How UpGuard helps industries strengthen their cybersecurity posture
UpGuard’s State of Cybersecurity 2025 | S&P 500 report reveals which industries are leading and which need improvement in their cybersecurity performance, providing valuable lessons for business leaders across all industries. Businesses must adopt proactive strategies to strengthen their cybersecurity posture to stay ahead of the growing cyber threat landscape— before a cyber attack disrupts their organization.
UpGuard Breach Risk and Vendor Risk provide complete visibility into your external attack surface and third-party vendor inventory, which are foundational measures for a strong cybersecurity posture. Additional features include:
- Security ratings: Data-driven, objective, and dynamic measurements of your organization's security posture
- Vendor risk assessments: Stop using lengthy, error-prone, spreadsheet-based manual risk assessments and reduce the time it takes to assess a new or existing vendor by more than half.
- Data leak detection: Protect your brand, intellectual property, and customer data by detecting data leaks in time to avoid costly data breaches.
- Security questionnaires: Automate security questionnaires to get deeper insights into your vendors’ security. Use our industry-leading questionnaire library or build your own questionnaires from scratch.
- Questionnaire AI: Complete questionnaires in minutes with your own security documentation and help polish answers in seconds.
- Reporting & dashboards: Equip your board and business with the real-time insights they need to stay ahead of cyber risks, both within your organization and across third parties.
Download the full report to see where your industry ranks, or explore how UpGuard’s cybersecurity solutions can help protect your business at https://www.upguard.com/contact-sales.