FTSE 350 companies are leaking data that can be used by cyber attackers to gain control of their intellectual property, perpetrate fraud and inflict reputational damage, according to an audit firm.
In an report put together by KPMG’s Cyber Response team, the initial steps a would-be cyber attacker might undertake were simulated to get inside FTSE 350 companies. All the research was done using public domain data without breaching security, the auditors point out.
The audit firm found that every company on the list was leaking data by leaving employee usernames, email addresses and sensitive internal file location information online, and therefore potentially could be used by hackers. In fact the firm found that, on average, 41 usernames, 44 email addresses and five sensitive internal file locations were available for each company.
Companies in the aerospace and defence sector recorded the highest number of leaked internal email addresses – a fundamental component to sending phishing emails, a common entry route to access a company’s network.
Martin Jordan, head of cyber response at KPMG, says: “What our research has shown is that companies do not have full control of their web presence at a time when cyber security has been turned upside down. Hacking is no longer about a few hacktivists. Now, hacking has become automated on an industrial scale – often with state sponsored agencies behind it – and attackers are aiming for an increased competitive edge by stealing company secrets and IP, or purely seeking financial gain through fraud.”
While it’s difficult to stop these groups, companies can, at the very least, deny them ‘open all areas’ access to their secrets which unwittingly, they may have laid bare, the audit firm says.
Martin Jordan adds: “Our findings send out a clear message to business – while the internet may be a shop window to the world – it can also be a substantial security risk. FTSE350 companies should accept that cyber threats are real. Protecting their networks is not just about self-interest; is about safeguarding the economy and, in the case of critical national infrastructures, it is also about the safety of the population.”
KPMG found that a good half (53 per cent) of the FTSE 350 did not have up to date security patches or were using old server software, making them potentially vulnerable to attack. Companies in the support services sector and, ironically, also the software and computer services sector, were found to be at the top of the list in terms of sectors with the most vulnerabilities.
Comment
Ross Parsell, Director of Cyber Security at Thales UK, sits on a number of governing bodies that decide the UK National Cyber Security Strategy. He says: “As today’s KPMG report highlights, there is currently a high level of naivety in the market regarding cyber security, resulting in many organisations unintentionally putting themselves at risk. Companies need to acknowledge that cyber security is a business issue, not just an IT issue and, if businesses haven’t realised this, their organisation is already on the back foot. The consequences of cyber attacks are now so severe that cyber defence must become a board room discussion where companies explore what measures need to be put into place to ensure they are acting proactively – not reactively.
As well as unsecured networks, an employee could pose an internal threat through malicious intent or unintentional ignorance. To combat insider threats, firms need to invest in employee security training and awareness programmes to avoid accidental breaches. Educating staff both on a companies’ own security policies and procedures, as well as industry best practice and regulatory standards , will greatly reduce the risk of an incident resulting from poor or lack of education.
There are a number of IT administered employee controls which organisations can consider, including network monitoring technology which alerts the necessary parties when rogue devices connect to the network to either infect a corporate IT system. This could help prevent the problems that KPMG has revealed in its report.”
And Quinton Watts, VP Marketing & Sales for ESET UK, said: “It’s worrying to see organisations central to UK economic growth and prosperity falling short in terms of cyber security. Businesses up and down the country should take a moment to reflect on these findings and consider their own security culture and practises. If businesses with millions of pounds of resources available at their disposal, who should be at the forefront of cyber security, are leaving sensitive information online, it’s almost certain large swathes of the mid-market and small business economy are as well. It’s interesting to see phishing email rank particularly highly amongst methods used by attackers. Organisations should ensure they are aware of the availability of sensitive data to the public and have sufficient processes internally for handling suspect emails and enquiries. It is critical they also educate their workforce as to the risks attached to placing critical and sensitive information in the public domain.”
