The Forbes Global 2000 faces a mounting cybersecurity crisis that extends beyond traditional firewalls and intrusion detection systems.
New research from CSC, a leading domain registrar and threat intelligence provider, exposes a critical vulnerability at the digital perimeter—one that threatens enterprises regardless of the sophistication of their internal security infrastructure.
Domain names, DNS systems, and digital certificates have become foundational targets for modern cyberattacks. Unlike internal assets that remain protected by firewalls and access controls, these external elements operate outside conventional security boundaries while simultaneously supporting email authentication, API access, website delivery, and partner connectivity.
Attackers exploit this architectural gap with precision, leveraging domains as operational hubs for phishing campaigns, business email compromise (BEC), malware distribution, and brand impersonation.
The CSC Domain Security Report 2026—the sixth iteration of this annual benchmark—analyzed the security posture of the Global 2000 enterprises by examining their adoption of critical domain security measures.
The findings reveal a troubling pattern: the vast majority of the world's largest companies have implemented fewer than half of the recommended domain security protections.
A Weak Perimeter by Design
Domains sit outside the firewall, yet organizations continue to treat them as secondary concerns in their security architecture.
This disconnect creates what experts describe as the most overlooked dependencies in enterprise cybersecurity—gaps that attackers deliberately target while security teams focus resources inward.
The attack surface has expanded rapidly. Threat actors no longer attempt to breach hardened internal networks when they can register lookalike domains, construct convincing phishing pages, and impersonate trusted brands with minimal effort.
With generative AI now capable of producing realistic domains, websites, and spear-phishing lures at scale, attackers can execute sophisticated campaigns faster than enterprises can detect and remediate them.
Domain hijacking remains one of the most effective attack vectors. Once an attacker gains control of a legitimate domain through registrar account compromise, social engineering, or DNS manipulation, the damage extends across multiple threat vectors simultaneously.
The same hijacked domain can serve as a platform for phishing emails, a delivery mechanism for malware, a credential harvesting portal, and a relay point for business email compromise attacks.
Email Authentication Shows Promise, But Fundamental Gaps Persist
Among all domain security measures, email authentication protocols have experienced the most consistent adoption.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) surged from 39 percent adoption in 2020 to 80 percent in 2025—a significant improvement driven by the volume and sophistication of phishing campaigns and regulatory pressure from the European Union's Network and Information Security 2 (NIS2) directive.
Yet this progress masks deeper vulnerabilities. Organizations have implemented email authentication selectively, leaving critical protections incomplete across their domain portfolios.
SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) adoption remains uneven, with many enterprises still leaving email domains partially protected. This selective approach allows attackers to execute spoofing attacks from unprotected domains while the organization appears compliant with baseline standards.
More advanced protections designed to prevent unauthorized domain changes or protect DNS integrity remain uncommon. Controls that should form the foundation of domain security governance—such as registry locks and DNSSEC implementation—see much slower uptake.
These gaps directly increase exposure to hijacking and traffic redirection, particularly when attackers compromise registrar accounts through phishing or credential theft.
The Infrastructure Blindspot: DNS Redundancy Declines
DNS redundancy represents a critical failure point that has worsened rather than improved. Organizations increasingly consolidate DNS services onto a single cloud provider in pursuit of cost efficiency and operational simplicity.
This consolidation creates a concentration risk that directly contradicts emerging best practices for availability and resilience.
Adoption of DNS redundancy declined year over year, with many Global 2000 companies relying exclusively on a single cloud infrastructure provider for DNS services. This single point of failure exposes organizations to outages from regional cloud incidents as well as targeted attacks that disrupt DNS availability.
Since DNS supports email delivery, authentication flows, application access, and API endpoints, a successful attack on or disruption of DNS infrastructure cascades across the entire operational environment.
The cost pressures driving this consolidation trend remain real, but the security trade-offs are not adequately understood by decision-makers.
Dual infrastructure for DNS remains uncommon, even though DNS availability directly impacts core business operations including email service, authentication systems, and customer-facing applications.
Registrar Selection Creates a Security Divide
The choice of domain registrar fundamentally shapes an enterprise's security posture.
Organizations using enterprise-focused registrars demonstrate substantially higher adoption of advanced protections, including registry locks that prevent unauthorized domain transfers and modifications.
Consumer-oriented registrars prioritize simplicity and cost-effectiveness, which often translates to the absence of sophisticated security features. Organizations that rely on these platforms lack access to protections designed to mitigate the impact of account compromise or social engineering attacks.
The disparity is dramatic: registry lock adoption among Global 2000 companies using enterprise-class registrars exceeds that of companies using consumer-grade registrars by more than six times.
This gap becomes increasingly consequential as domain portfolios grow. Enterprises managing hundreds or thousands of domains cannot defend each one effectively without the infrastructure and features that only enterprise registrars provide.
As organizations scale their operations and expand globally, the limitations of consumer-grade registrars become untenable security liabilities.
Brand Impersonation Reaches Critical Scale
Homoglyphs—characters that appear visually identical to legitimate ones but possess different Unicode values—have become the primary tool for large-scale brand impersonation.
The Latin letter "a" (U) differs from the Cyrillic "a" (U) only in their underlying code, yet attackers exploit this distinction to create lookalike domains that appear identical on screens, particularly on mobile devices.
The scale of this threat is staggering. A single domain with 19 characters can theoretically generate more than 1.16 billion homoglyph variations. Attackers do not need billions—they need only a handful that work reliably for phishing or credential theft.
These lookalike domains are not dormant. They point to active IP addresses, host phishing sites, steal credentials through spoofed login pages, and often evade domain blocklists and email authentication protections.
According to CSC's analysis, 88 percent of registered web domains that resemble Global 2000 brands are owned by third parties—an increase of 8 percent from the previous year. These homoglyph domains function as operational infrastructure for fraud.
Some remain inactive while maintaining email capabilities, allowing attackers to send phishing messages that appear associated with trusted brands. Others host cloned login pages designed to capture credentials that unlock downstream access to corporate systems. A smaller subset actively distributes malware or redirects traffic to credential-harvesting sites.
Financial services brands attract the largest concentration of this activity, reflecting their value as targets.
Technology companies and service providers face equally aggressive campaigns due to their broad user bases and established customer trust.
Industry Divergence Reveals Regulatory and Technological Gaps
Domain security maturity is not distributed evenly across industries. Technology-driven sectors and IT software companies lead in domain security rankings, followed by media, retail, and telecommunications firms.
Banking and semiconductor industries showed notable improvement over the past year, advancing their rankings by five positions each—a shift likely driven by AI development activities, FinTech innovation, and stricter cybersecurity mandates from regional governments.
Construction, utilities, and mining sectors remain among the lowest performers.
Many of these industries operate under critical infrastructure classifications, creating a policy paradox: enterprises designated as critical infrastructure providers often demonstrate the poorest domain security practices despite facing the most stringent regulatory requirements.
Regional trends also show disparity. Asia Pacific organizations are improving faster than other regions, though overall adoption still trails Europe and the Americas by a significant margin.
This variation reflects differences in regulatory frameworks, the maturity of local threat intelligence infrastructure, and the sophistication of regional security operations centers.
Unicorns Outpace Enterprises in Select Measures, But Expose Scaling Vulnerabilities
The CSC report compared the Global 2000 with the world's top 100 privately held unicorn companies (valuations exceeding $1 billion) to determine whether emerging firms demonstrate superior domain security awareness.
The findings present a paradox: unicorns exceed Global 2000 companies in five of eight measured security categories, yet their advantages concentrate narrowly on DNS record-based controls.
The majority of top unicorns are technology firms, with significant representation from artificial intelligence companies. Teams managing unicorn domains are typically IT professionals with solid technical knowledge of DNS protocols and security options.
This explains their superior performance in email authentication measures—SPF, DKIM, DMARC—which are low-cost, DNS-record-based controls that technical teams can deploy easily.
Yet critical gaps emerge in infrastructure-related protections. Fewer than 1 percent of unicorns employ DNS redundancy, and close to 90 percent rely on a single cloud infrastructure provider.
Registry lock adoption lags, and many unicorns continue using consumer-grade registrars. These limitations become more pronounced as operations scale, suggesting that the security advantages unicorns currently enjoy may not persist as they mature.
Most unicorns occupy a middle security range, investing in email protection while leaving other areas less developed. This uneven approach leaves them exposed to hijacking, DNS-level attacks, and availability disruptions as they grow.
The architectural choices made during scaling—particularly decisions around registrar selection and DNS infrastructure consolidation—may undermine the security posture they establish early.
The Regulatory Catalyst: NIS2 and Certificate Lifecycle Changes
The European Union's Network and Information Security 2 (NIS2) directive, which came into effect in October 2024, has accelerated domain security awareness across regulated sectors.
The directive explicitly addresses domain and DNS security as components of broader cybersecurity risk management, shifting domain security from operational concern to compliance mandate.
Beginning in 2026, the certificate lifecycle management landscape will shift dramatically. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) digital certificate lifespans are set to shorten significantly, a change that will ripple across domain management practices for enterprises managing thousands of certificates.
Organizations will need to implement more frequent renewal cycles, updated automation infrastructure, and enhanced monitoring to prevent certificate expiration—an outcome that creates new operational complexity and risks if not managed systematically.
Conclusion: Digital Perimeters Demand Strategic Priority
The CSC 2026 Domain Security Report establishes beyond doubt that digital perimeters represent a critical—and largely underprotected—layer of enterprise security.
The findings indicate that overlooking domain security, DNS integrity, and registrar selection creates systemic vulnerabilities that cascade across multiple attack vectors simultaneously.
The convergence of regulatory pressure, AI-enabled attack sophistication, and architectural weaknesses has created an environment where domain-based attacks operate with efficiency and scale.
Phishing, business email compromise, brand impersonation, and malware distribution campaigns increasingly depend on domains as operational hubs rather than simple lures.
Global 2000 enterprises cannot resolve these vulnerabilities through internal network controls alone. Strategic investment in enterprise-class registrars, DNS redundancy, registry locks, and comprehensive domain monitoring has moved from optional hardening to essential risk management.
Without these foundational protections, organizations will continue exposing themselves to threats that exploit the most overlooked—and most dangerous—edge of the digital perimeter.
