What Our Free Security Scans Have Revealed: Anonymised Insights from Australian Businesses

The State of Australian Business Security in 2026

Since launching our free cybersecurity assessment platform, thousands of Australian businesses have used it to understand their external attack surface. We have aggregated and fully anonymised this data to share the trends, patterns, and common security gaps we are seeing across the board.

Important note: All data referenced in this article is fully anonymised. No individual business, domain, or IP address is identifiable. Our goal is to help the broader Australian business community understand common risks so they can take action.

---

Key Findings at a Glance

Here is a snapshot of what our scanning engine has uncovered across the assessments completed to date:

• 73% of businesses had at least one high or critical severity vulnerability on their external infrastructure
• 61% of scanned domains had email security misconfigurations (missing or misconfigured SPF, DKIM, or DMARC records)
• 42% of organisations had at least one email address appear in a known data breach
• 38% of businesses were running outdated software versions on public-facing servers
• 29% of scanned domains had SSL certificate issues including expired certificates, weak cipher suites, or missing certificates on subdomains
• 18% of organisations had remote desktop (RDP) or SSH services directly exposed to the internet without adequate protection

These numbers are not outliers. They represent a cross-section of small and medium businesses across industries including professional services, manufacturing, healthcare, retail, and construction.

---

The Most Common Vulnerabilities We Found

1. Email Security Gaps

Email remains the number one attack vector for Australian businesses, and our data confirms why. The majority of domains we scanned had at least one of the following issues:

• No DMARC policy or policy set to "none" -- This means attackers can send emails that appear to come from the business domain without any rejection or quarantine action.
• Missing or incorrect SPF records -- Without a properly configured Sender Policy Framework, email spoofing becomes trivial.
• No DKIM signing -- DomainKeys Identified Mail ensures emails have not been tampered with in transit. Without it, there is no cryptographic proof the email is legitimate.

The practical consequence: your clients, suppliers, and employees could receive fraudulent emails that look like they came from your domain, and their email servers would have no way to flag them as suspicious.

2. Known Vulnerabilities on Public-Facing Services

A significant number of businesses had servers running software with known, published CVEs (Common Vulnerabilities and Exposures). The most frequently seen categories included:

• Web server vulnerabilities (Apache, Nginx, IIS with outdated versions)
• OpenSSH vulnerabilities on Linux servers that had not been patched
• Content management system flaws particularly in WordPress installations (more on this in our dedicated WordPress article)
• TLS/SSL implementation weaknesses allowing potential downgrade attacks

Many of these vulnerabilities have public exploit code available, meaning an attacker does not need to be sophisticated to take advantage of them.

3. Exposed Remote Access Services

Nearly one in five businesses had remote access services like RDP (port 3389) or SSH (port 22) directly accessible from the internet. In the current threat landscape, this is one of the highest-risk configurations possible. Ransomware operators actively scan for and target these services using:

• Brute force credential attacks
• Known vulnerability exploits
• Credential stuffing from data breaches

If your organisation must use remote access, it should always be behind a VPN or zero-trust access solution.

4. Data Breach Exposure

Our breach checking capability scans common email address patterns against known breach databases. The results were concerning:

• 42% of domains had at least one email address that appeared in a historical data breach
• The average number of breach appearances per affected domain was 3.7 breaches
• The most common breach sources were large-scale platform compromises from 2019-2024

This does not necessarily mean those specific passwords are still in use, but it does indicate that credential reuse could be a significant risk factor.

5. Subdomain Sprawl

Many organisations were unaware of how many subdomains they had publicly resolvable and what services were running on them. Our scanning engine discovered:

• An average of 8.4 subdomains per organisation with at least one open port
• Forgotten staging and development environments still accessible from the internet
• Legacy services running on subdomains that were no longer maintained but still publicly reachable

This "shadow infrastructure" represents a significant blind spot for many IT teams.

---

Industry Breakdown

While we will not identify specific businesses, the data does show some sector-level patterns:

Professional Services (Legal, Accounting, Consulting)

• Higher than average email breach exposure, likely due to the volume of email communication
• Generally better SSL/TLS configuration
• Lower incidence of exposed remote services

Manufacturing and Construction

• Higher rates of exposed RDP services, often on operational technology networks
• More outdated software versions on public-facing servers
• Lower adoption of DMARC email policies

Healthcare

• Mixed results: some organisations had excellent security posture, others had significant gaps
• Higher concern around breach data given the sensitivity of health information
• More complex subdomain environments with patient portals and booking systems

Retail and Hospitality

• WordPress and e-commerce platform vulnerabilities were the most common finding
• SSL certificate management issues were more frequent
• Payment-adjacent systems sometimes had unnecessary ports exposed

---

What Should You Do With This Information?

If you have not yet run a scan on your own domain, start your free assessment now -- it takes 60 seconds and gives you a personalised report.

If you have already scanned and found issues, here are the priority actions:

1. Fix email security first. Implementing SPF, DKIM, and DMARC is free and dramatically reduces your phishing risk. Our scan report shows you exactly what is missing.

1. Patch public-facing services. Any server accessible from the internet should be running the latest security patches. If you cannot patch immediately, consider restricting access via firewall rules.

1. Close unnecessary ports. If RDP or SSH is exposed to the internet, either close it or put it behind a VPN immediately.

1. Address breach exposure. Force password resets for any email addresses that appeared in breach databases, and enforce multi-factor authentication across all business systems.

1. Audit your subdomains. Review every subdomain discovered in your scan. Decommission anything that is no longer needed.

---

How Affinity MSP Can Help

Our free scan gives you visibility. Our managed security services give you the expertise to act on it. We help Australian businesses:

• Remediate the specific vulnerabilities identified in their assessment
• Implement ongoing monitoring so new issues are caught immediately
• Build a security posture that meets compliance requirements including the Essential Eight
• Provide 24/7 security operations without the cost of an in-house team

Book a free 30-minute consultation to discuss your scan results with one of our security experts.

---

This analysis is based on anonymised, aggregated data from security assessments conducted through the Affinity MSP Security Portal. No individual business data is disclosed. Statistics are rounded and presented as approximate ranges to prevent any possibility of identification.