FTSE 350 companies are leaking data and failing to keep systems up-to-date, according to KPMG.
According to research and simulated attacks by KPMG's cyber response team, every company on the list left employee usernames, email addresses and sensitive internal file location information online.
The firm found that on average, 41 usernames, 44 email addresses and five sensitive internal file locations were available for each company.
Martin Jordan, head of cyber response at KPMG, said: “What our research has shown is that companies do not have full control of their web presence at a time when cyber security has been turned upside down.
“Our findings send out a clear message to business: while the internet may be a shop window to the world, it can also be a substantial security risk. FTSE 350 companies should accept that cyber threats are real. Protecting their networks is not just about self-interest; is about safeguarding the economy and, in the case of critical national infrastructures, it is also about the safety of the population.”
The cyber response team conducted a simulated attack to get inside FTSE 350 companies. It said that all the research was conducted using public domain data without breaching security. Among those researched, companies in the aerospace and defence sector recorded the highest number of leaked internal email addresses, while 53 per cent did not have up-to-date security patches or were using old server software, making them potentially vulnerable to attack.
Companies in the support services sector and software and computer services sector were at the top of the list in terms of sectors with the most vulnerabilities.
Security researcher Robin Wood told SC Magazine that all companies leak email addresses, and a lot are deliberate where things such as marketing campaigns or feedback forms where the addresses deliberately look more personal. He said: “Also, how many people does a FTSE 350 firm have on its books? Is 44 email addresses really a significant number? How many of the addresses are info@, sales@ etc?
“Usernames shouldn't be out there but as with email addresses, their use can be limited by having good software controls in place. Sensitive file locations are only an issue if there is another vulnerability to go with them. Knowing a website is served from /var/www or that a document was stored in c:\docs doesn't mean much unless combined with other vulnerabilities.”
He said that missing software patches is more serious and is something that should be addressed, although old server software isn't necessarily a problem, as a lot of companies deliberately run a version or two behind to avoid bugs in bleeding edge versions.
Asked if security infrastructures often do not scale to the size of the business, Wood said: “Larger companies definitely don't scale well. A small firm, say 200 people, may have a single security person to manage the whole firm but a large, 10,000-person firm often has less than 20, usually quite a bit less. That is a difference between a ratio of 200:1 versus 10,000:20 or 500:1.
“With the size of their infrastructure, it is very hard to successfully manage all of it and keep it all up-to-date. Security is easy to not spend money on. If they do their job properly and nothing happens it is seen that they don't need the budgets they have as nothing happened so cut costs. A company often needs a breach to get cash into the department.”
Brian Honan, CEO of BH Consulting, said that any company holding sensitive information, such as financial details or valuable intellectual property, should have a comprehensive information security management system in place, which includes vulnerability and patch management programs, to identify and address potential risks to the business.
He said: “It is important to remember context when evaluating systems and their weaknesses. Ensuring 100 per cent security is not possible, particularly in today's rapidly changing computing environment. Priority should be given to address vulnerabilities in systems that hold sensitive data or are critical to the business.
“However, companies need to ensure that other systems on their network don't provide a weak entry point into their network and through there into the sensitive systems. Where systems cannot be patched, be that for technical or business reasons, or simply because the resources are not available, companies should look at other ways to mitigate their risk.
“It's a fact of life that in large organisations it will be impossible to have every system running on the latest releases. It is important to know which systems are most critical to the business and ensure they are secured first with other less critical systems following suit.”