Why industry benchmarks matter for website security

Security is not a binary. It is a spectrum — and where you sit relative to your industry peers determines your real-world risk. Attackers are rational actors. They use automated tools that scan millions of websites simultaneously looking for the easiest entry points. If your competitor has a publicly exposed .env file and yours does not, the attacker will target your competitor first.

"The question every business owner should be asking is not 'Are we secure?' — it is 'Are we more secure than the next company on the attacker's list?' Cyber criminals are rational. They attack the easiest targets first."

— Deloitte UK, Cyber Resilience Report, 2025

E-commerce

E-commerce

Based on 680 audits · 2025–2026

61 out of 100
Most common critical findings
  • Expired or misconfigured SSL certificates (present in 31% of e-commerce audits)
  • Google Analytics firing before cookie consent (41% — a direct GDPR violation)
  • Missing DMARC records (63% — leaving brands open to spoofing campaigns targeting customers)

Professional Services (law, accountancy, consulting)

Professional Services

Based on 420 audits · 2025–2026

54 out of 100
Most common critical findings
  • Exposed files: 22% had publicly accessible configuration files — highest rate of any sector
  • Email spoofing vulnerability (no DMARC): 71% — critical for firms where impersonation fraud targets clients
  • Outdated CMS: 38% running WordPress or similar with at least one known CVE

Hospitality & Restaurants

Hospitality & Restaurants

Based on 310 audits · 2025–2026

48 out of 100
Most common critical findings
  • SSL certificate issues: expired or misconfigured in 44% of hospitality audits
  • WordPress core out of date: 52%
  • Missing all five key security headers: 67%

Healthcare & Wellness

Healthcare & Wellness

Based on 280 audits · 2025–2026

58 out of 100
Most common critical findings
  • GDPR compliance gaps: 74% had at least one significant GDPR issue — highest rate of any sector
  • Contact form data transmitted without adequate protection: 29%
  • Booking systems with weak authentication: 33%

Technology & SaaS

Technology & SaaS

Based on 390 audits · 2025–2026

71 out of 100
Most common findings
  • API keys exposed in JavaScript source: 18% — a finding unique to tech companies with complex front-end integrations
  • Development subdomains publicly accessible: 24%
  • Overly permissive CORS configuration: 19%

The cross-sector findings that affect everyone

Consistent across all sectors we audit

67% Missing DMARC enforcement
78% Missing Content-Security-Policy header
94% Have at least one critical finding

What a good score looks like — and how to get there

In ProtectPatch's scoring model, a score of 70+ represents a solid baseline security posture. The gap between the average hospitality site (48/100) and a 70+ score is not a six-month project. For most sites, it is:

Total: less than two working days of developer time to move from average to well-above-average security posture.

Key takeaways

  • UK e-commerce sites average 61/100; hospitality averages 48/100; tech leads at 71/100
  • Professional services have the highest rate of exposed configuration files (22%)
  • Healthcare sites have the highest rate of GDPR violations (74%)
  • 67% of UK business domains across all sectors lack effective DMARC enforcement
  • The gap between average and well-secured takes less than two days of developer time