The KPMG team spent six months scrummaging through the online presence of the companies. It found many businesses are leaking data that exposes them to cyber attacks.
KPMG reports its findings and recommendations in its cyber vulnerability index “Publish and be Damned: What does your online corporate profile reveal?”
The security advisory team simulated the initial steps would-be cyber attackers might take against companies. All the research was conducted using public domain data and without breaching security.
The team found:
• Over three-quarters of the organisations surveyed had websites that were leaking data.
• 71 percent of the Forbes 2000 companies may be using potentially vulnerable and outdated versions of Microsoft and Adobe software.
• The technology and software sectors are most likely to disclose information in metadata in posts to online forums and newsgroups.
• 16 percent of companies may be vulnerable to attack due to poor patching or the use of out-of-date server software on their websites.
Information within document metadata often constitutes an information leak as it can provide cyber attackers with view of corporate network users, their email addresses, the software versions they use to create documents and internal network locations where files are stored.
KPMG NZ’s security advisory services director Philip Whitmore warns that the profile of attackers has changed in the past few years.
“Today’s cyber attacker is more likely to be social activist with an axe to grind, rather than financially motivated. More troubling still has been the perceived rise of state-sponsored hackers who enjoy the luxury of time and seemingly unlimited resources.”
He says attackers often aim to gain better access to greater intellectual property.
“While it’s difficult to stop these types of people, companies can, at the very least, deny them open access to their secrets which unwittingly they may have laid bare.”
The report says the world of cyber security has tilted on its axis. Companies now not only face cyber attacks from hacking groups, script kiddies and hactivists but also from state-sponsored agencies seeking competitive edge or intellectual property.
“Just as attacks have evolved, companies must evolve by re-evaluating their own ability to detect, defend and respond to cyber attacks.”
KPMG recommends businesses action four-part plan:
• Assess Perform an assessment of your internet presence. Work out what data your organisation currently leaks to the world.
• Spring clean Where possible, cleanse meta-data from your existing published documents. Ensure all corporate devices are fully patched, not just your online web servers.
• Educate all employees Get everyone in the organisation to understand the value and sensitivity of the information they possess and, more importantly, how to protect it.
• Adjust policies Instigate policy to minimise unintentional or undesired corporate information appearing on the net.