Economic growth and national security put at risk
as FTSE 350 fail to raise cyber defences, says
24 July 2013 – FTSE 350 companies that are vital to Britain’s economic growth, and crucial to national security, are leaking data that can be used by cyber attackers to gain control of their intellectual property, perpetrate fraud and inflict reputational damage, according to analysis by KPMG.
In an innovative report put together by KPMG’s Cyber Response team, the initial steps a would-be cyber attacker might undertake were simulated to get inside FTSE 350 companies. All the research was conducted using public domain data without breaching security.
KPMG found that every single company on the list was leaking data by leaving employee usernames, email addresses and sensitive internal file location information online, and therefore potentially could be used by hackers. In fact the firm found that, on average, 41 usernames, 44 email addresses and five sensitive internal file locations were available for each company.
Companies in the aerospace & defence sector recorded the highest number of leaked internal email addresses – a fundamental component to sending phishing emails, a common entry route to gain unrestricted access to a company’s network.
Martin Jordan, head of cyber response at KPMG, comments: “What our research has shown is that companies do not have full control of their web presence at a time when cyber security has been turned upside down. Hacking is no longer about a few hacktivists. Now, hacking has become automated on an industrial scale – often with state sponsored agencies behind it – and attackers are aiming for an increased competitive edge by stealing company secrets and IP, or purely seeking financial gain through fraud.”
While it’s difficult to stop these groups, companies can, at the very least, deny them ‘open all areas’ access to their secrets which unwittingly, they may have laid bare.
Martin Jordan adds: “Our findings send out a clear message to business – while the internet may be a shop window to the world – it can also be a substantial security risk. FTSE350 companies should accept that cyber threats are real. Protecting their networks is not just about self-interest; is about safeguarding the economy and, in the case of critical national infrastructures, it is also about the safety of the population.”
But as part of the research, KPMG found that 53% of the FTSE 350 did not have up to date security patches or were using old server software, making them potentially vulnerable to attack. Companies in the support services sector and, ironically, also the software & computer services sector, were found to be at the top of the list in terms of sectors with the most vulnerabilities.
KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and operates from 22 offices across the UK with over 11,000 partners and staff. The UK firm recorded a turnover of £1.7 billion in the year ended September 2011. KPMG is a global network of professional firms providing Audit, Tax, and Advisory services. We operate in 152 countries and have 145,000 professionals working in member firms around the world. The independent member firms of the KPMG network are affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. KPMG International provides no client services.