Majority of top firms are leaking data that could help cyber attackers, says KPMG

Seventy eight per cent of organisations in the Forbes' global 2000 are leaking data which could create opportunities for cyber attackers, a report by consultancy firm KPMG has found.

The report, dubbed the ‘Cyber Vulnerability Index', assessed how businesses are leaking data that exposes them to cyber attacks. Research was carried out by KPMG over a six-month period into data leaks from the top 2000 companies in the world as ranked by Forbes magazine.

This included downloading 10 million publicly available documents from the Forbes 2000 websites for analysis in addition to looking at online postings from named individuals working for these companies.

According to the metadata KPMG had obtained, 71 per cent of the companies may have been using potentially vulnerable and out-dated versions of Microsoft and Adobe software. Technology and software sectors were found to expose the most information in documents they serve on their corporate websites.

Martin Jordan, director of information protection at KPMG, told Computing that the internet offers rich intelligence pickings for cyber attackers, and explained how they could use online documents to their advantage.

"Cyber attackers will profile the company, look at the Adobe files found on the internet and inside these documents they can find out the version of the software. Then, they would build a bespoke bit of malware designed to expose that part of software," he said.

The technology and software sectors also have employees posting far more information to online forums and newsgroups than other industries.

In the report, KPMG warned that these postings "often reveal email addresses of individuals to be targeted in spear-phishing attacks" and could also reveal personal information which could be used in targeted social engineering attacks.

Part of the research focussed on the structure of the Forbes 2000 corporate websites to identify potentially sensitive file locations or hidden functionality that may be useful to cyber attackers – with 15 per cent of the company websites offering hackers access to test functionality and private login portals that potentially allow file upload capabilities.

[Turn to next page]