According to a Cybernews Business Digital Index (BDI) analysis, 69% of the top oil and gas companies worldwide received a cybersecurity score of D or F, indicating widespread weaknesses. Additionally, over 50% of these companies experienced at least one data breach in the past 30 days.
The Cybernews research team evaluated the cybersecurity posture of 391 out of the 400 the world’s largest oil and gas companies by market cap. Using only publicly available information, the BDI relies on custom scans, Internet of things search engines, and domain/IP reputation databases to identify digital vulnerabilities across these organizations.
According to the index, 35% of the 391 companies analyzed received an F, the lowest possible rating, and 34% scored a D, revealing serious shortcomings. Only 10% achieved an A grade for their cybersecurity posture.
The overall average security score across the companies was 72 out of 100. Based on the BDI methodology, this places them in the high-risk category for potential cyberattacks.
“Most companies scoring a D or F in cybersecurity indicate that industries are exposed to possible risks," said Vincentas Baubonis, head of security research at Cybernews. "These ratings point to widespread vulnerabilities that open critical infrastructure to breaches and ransomware. A single incident could lead to operational shutdowns, plummeting stock value, and a collapse in investor trust. Only 10% have adopted strong digital defenses, making it clear the sector is lagging."
The analyzed oil and gas companies experienced common systemic vulnerabilities spanning several cybersecurity areas. A significant proportion of companies exhibit unresolved software patching issues—meaning they have not applied important security updates—with 32% vulnerable to general patching gaps and 20% exposed to critical unpatched flaws that could allow attackers to exploit known weaknesses and gain access to their systems.
Email security remains a critical weakness, affecting 48% of organizations. This includes missing protections against phishing, spoofing, and unauthorized access, allowing attackers to trick employees, steal credentials, or spread malware.
Additionally, vulnerabilities in system hosting, found in 74% of companies, point to insecure configurations in the servers or cloud environments that support core business functions. Issues with secure sockets layer/transport layer security configuration were identified in 91% of organizations, indicating widespread failures in properly encrypting data transmissions—a flaw that can expose sensitive information to interception or tampering.
The data also reveals that corporate credentials have been stolen from over 80% of companies, and 38% of domains are vulnerable to email spoofing. These gaps in security posture indicate that fundamental cybersecurity controls and protocols are either inconsistently implemented or insufficiently maintained across the sector.