Upguard finds one in ten ASX 200 companies infected by dark web infostealers

HOBART, Australia, May 20, 2026 /PRNewswire/ -- UpGuard, a leader in cybersecurity and risk management, released its annual ASX 200 Cybersecurity Report, which measures the cyber risk exposure of Australia's largest listed companies. Based on daily scanning of billions of data points, UpGuard benchmarked external security posture on a 0–950 scale, finding the average score for the ASX 200 was 728.5 in 2025, equating to a B rating, and showing a 1.58 percent improvement from 2024. However, the report also found that 10 percent of the ASX 200 had active, verified infostealer infections. In addition, the research identified a trend where security scores typically remain stagnant until a major global security issue, such as the CrowdStrike outage, triggers a brief spike in remediation activity. However, these reactive security improvements often subside within months as organizational priorities shift.

Key Findings from the 2025 Report:

• Identity is the primary attack vector: 1 in 10 ASX 200 companies had high confidence that credentials were circulating in infostealer logs, with 71 percent of these infections concentrated in the largest organizations.
• Supply chain cascade risk: The majority of ASX 200 rely on the same core SaaS platforms, creating a cascade effect where a single vendor vulnerability can exploit hundreds of companies.
• Encryption is the weakest link for the second year running: Encryption is the lowest-scoring technical category, leaving data privacy at significant risk.
• Sector leaders and laggards: Information Technology (776) and Utilities (769) lead the index, while the Materials sector (673) continues to rank lowest in overall security posture.
• Attack surface volatility: In every security category, nearly a third of companies ended up in a worse position than in 2024.

"Even as companies in the ASX 200 continue their efforts to improve security, our research shows that the rise of sophisticated identity threats like infostealers, and new mandates under Australia's Cyber Security Act 2024 mean that periodic security checks are no longer enough," said Greg Pollock, director of Research and Insights at UpGuard. "Maintaining robust cybersecurity standards requires a shift to continuous, comprehensive cyber risk posture management that reflects a true end-to-end security posture. Success will be determined by three factors: awareness of change, time to remediation, and security fundamentals."

Real security posture requires total visibility across an organization's attack surface, vendors, and threat exposure. To address the challenges in the current threat landscape, ASX 200 organizations need to have a unified system that addresses those three key risk dimensions. Recommendations include:

• Implement continuous external scanning to know what is visible on the public Internet.
• Transition to real-time vendor risk monitoring.
• Deploy dedicated dark web monitoring and credential exposure detection.

Methodology:
UpGuard's analysis is derived from UpGuard's Cyber Risk Posture Management (CRPM) Platform, which provides security ratings based on a quantitative assessment of external cybersecurity posture. This is done using a proprietary, subtractive scoring algorithm that benchmarks performance on a 0–950 scale, with assets starting at a perfect score and deductions applied based on the weighted severity of identified risks and vulnerabilities.

To download the full report, visit here.

UpGuard Summit:
To learn more industry insights and explore the future of cyber risk, UpGuard is holding its quarterly APAC Summit May 21 at 1:00 PM AEST. To register for this online event, visit: https://www.upguard.com/summit

To learn more, visit www.upguard.com.