"What our research has shown is that companies do not have full control of their web presence at a time when cyber security has been turned upside down," said Martin Jordan, head of cyber response at KPMG, in the introduction to the report. "Hacking is no longer about a few hacktivists. Now, hacking has become automated on an industrial scale – often with state sponsored agencies behind it – and attackers are aiming for an increased competitive edge by stealing company secrets."
Worryingly, the aerospace and defense sectors appear to leave themselves the most open to attack. Yet every top firm the accountancy group investigated was found to leave a trail of sensitive material online. Most often that consisted of email addresses and user names (KPMG found that each firm leaked an average of 41 usernames and 44 email addresses). Those, in turn, can be used in the spear phishing attacks that most often kick off advanced persistent threats and espionage activities.
“Unfortunately, the weak link in a lot of cases is people, and giving attackers a head-start on useful usernames and email addresses doesn’t help,” said Darren Anstee, Solutions Architect for Arbor Networks, in an email. “Organizations need to reduce their threat surface, to decrease the chance of a successful breach, and they need to ensure that they have policies and training in place so that employees can securely manage sensitive and private data. Large organizations should have the resources or services in place to ensure that they do everything possible to protect their intellectual property and their customer’s data.”
Of course, even the most savvy of computer users could fall prey to a phishing attack if the attackers have access to a legitimate email from which to send the lure – and this issue is at the heart of the threat.
“The issue with using public data in this way is that the email from the attacker is to all intents perfectly normal, will come from a known supplier, friend or business colleague and the phishing link appears genuine,” said George Anderson, senior product marketing manager at Webroot, whose recent Web Security Survey recorded 55% of all companies being compromised by this type of attack. “The poor recipient has no chance if nothing raises suspicion, even if they are ‘security aware’. Hence, phishing is now the most successful cyber-attack breach – it targets the human factor and is difficult to detect. Plus, anti-phishing security technology is not working. It relies too much on trying to build blacklists of phishing sites and use those to block the users when they click on the link.”
Phishing aside, the KPMG report also showed that 53% of the FTSE 350 firms did not have up-to-date security or relied on old server software. Ash Patel, regional director for Stonesoft, said that the finding underscores the lack of understanding among businesses regarding the problem's scope. “With it reported only a few weeks ago by the GCHQ that British government and industry networks come under attack from sophisticated cyber operations at least 70 times a month, the revelations of this study are a major call for concern,” he said, in an emailed comment.
He added, “Businesses need to wake-up and realize how vulnerable they are in a digitalized world, and what kind of strategic cyber-solutions need to embedded into company culture and practice to manage vulnerability. It’s no longer a question of ‘if’ you’ll be attacked, but ‘when’, and ignorance of the issue by FTSE companies in a hyper-digitalized world is no longer an excuse. The London Stock Exchange is at the economic heart of the country, and a successful assault could potentially cripple the nation and expose huge swathes of customer data to rogue attackers.”
He noted that the British government is launching a number of schemes aimed at promoting cooperation between private and public sectors in this area, “and these companies have a duty to ensure they are fully on-board.”
KPMG’s Jordan echoed the “responsibility” sentiment: “Protecting their networks is not just about self-interest. It is about safeguarding the economy and, in the case of critical national infrastructures, it is also about the safety of the population."