This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

FTSE 350 companies demonstrate very poor security manners

Share this article:
Financial services remains the biggest victim of cyber crime
Financial services remains the biggest victim of cyber crime

FTSE 350 companies are leaking data and failing to keep systems up-to-date, according to KPMG.

According to research and simulated attacks by KPMG's cyber response team, every company on the list left employee usernames, email addresses and sensitive internal file location information online.

The firm found that on average, 41 usernames, 44 email addresses and five sensitive internal file locations were available for each company.

Martin Jordan, head of cyber response at KPMG, said: “What our research has shown is that companies do not have full control of their web presence at a time when cyber security has been turned upside down.

“Our findings send out a clear message to business: while the internet may be a shop window to the world, it can also be a substantial security risk. FTSE 350 companies should accept that cyber threats are real. Protecting their networks is not just about self-interest; is about safeguarding the economy and, in the case of critical national infrastructures, it is also about the safety of the population.” 

The cyber response team conducted a simulated attack to get inside FTSE 350 companies. It said that all the research was conducted using public domain data without breaching security. Among those researched, companies in the aerospace and defence sector recorded the highest number of leaked internal email addresses, while 53 per cent did not have up-to-date security patches or were using old server software, making them potentially vulnerable to attack. 

Companies in the support services sector and software and computer services sector were at the top of the list in terms of sectors with the most vulnerabilities.

Security researcher Robin Wood told SC Magazine that all companies leak email addresses, and a lot are deliberate where things such as marketing campaigns or feedback forms where the addresses deliberately look more personal. He said: “Also, how many people does a FTSE 350 firm have on its books? Is 44 email addresses really a significant number? How many of the addresses are info@, sales@ etc?

“Usernames shouldn't be out there but as with email addresses, their use can be limited by having good software controls in place. Sensitive file locations are only an issue if there is another vulnerability to go with them. Knowing a website is served from /var/www or that a document was stored in c:\docs doesn't mean much unless combined with other vulnerabilities.” 

He said that missing software patches is more serious and is something that should be addressed, although old server software isn't necessarily a problem, as a lot of companies deliberately run a version or two behind to avoid bugs in bleeding edge versions.

Asked if security infrastructures often do not scale to the size of the business, Wood said: “Larger companies definitely don't scale well. A small firm, say 200 people, may have a single security person to manage the whole firm but a large, 10,000-person firm often has less than 20, usually quite a bit less. That is a difference between a ratio of 200:1 versus 10,000:20 or 500:1. 

“With the size of their infrastructure, it is very hard to successfully manage all of it and keep it all up-to-date. Security is easy to not spend money on. If they do their job properly and nothing happens it is seen that they don't need the budgets they have as nothing happened so cut costs. A company often needs a breach to get cash into the department.”

Brian Honan, CEO of BH Consulting, said that any company holding sensitive information, such as financial details or valuable intellectual property, should have a comprehensive information security management system in place, which includes vulnerability and patch management programs, to identify and address potential risks to the business. 

He said: “It is important to remember context when evaluating systems and their weaknesses. Ensuring 100 per cent security is not possible, particularly in today's rapidly changing computing environment. Priority should be given to address vulnerabilities in systems that hold sensitive data or are critical to the business.

“However, companies need to ensure that other systems on their network don't provide a weak entry point into their network and through there into the sensitive systems. Where systems cannot be patched, be that for technical or business reasons, or simply because the resources are not available, companies should look at other ways to mitigate their risk. 

“It's a fact of life that in large organisations it will be impossible to have every system running on the latest releases. It is important to know which systems are most critical to the business and ensure they are secured first with other less critical systems following suit.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Google and Facebook offer free cyber-security tools

Google and Facebook offer free cyber-security tools

Google and Facebook have both launched free open-source cyber-security tools this week, designed to help security professionals spot malware and cyber-attacks.

Mixed results for key Government cyber-initiatives

Mixed results for key Government cyber-initiatives

The Government's Verify scheme to confirm IDs is behind scheuduled uptake, but its CISP threat intelligence sharing scheme is ahead of target.

Hundreds of companies face 2,000 cyber-attacks in EU exercise

Hundreds of companies face 2,000 cyber-attacks in EU ...

The European Network and Information Security Agency (ENISA) conducted a 24-hour cyber-exercise in which more than 200 organisations from 25 EU member states faced virtual cyber-attacks from white hat hackers ...