Majority of top firms are leaking data that could help cyber attackers, says KPMG

Banking sector one of the worst; UK not in the top 10 offending countries

Seventy eight per cent of organisations in the Forbes' global 2000 are leaking data which could create opportunities for cyber attackers, a report by consultancy firm KPMG has found.

The report, dubbed the ‘Cyber Vulnerability Index', assessed how businesses are leaking data that exposes them to cyber attacks. Research was carried out by KPMG over a six-month period into data leaks from the top 2000 companies in the world as ranked by Forbes magazine.

This included downloading 10 million publicly available documents from the Forbes 2000 websites for analysis in addition to looking at online postings from named individuals working for these companies.

According to the metadata KPMG had obtained, 71 per cent of the companies may have been using potentially vulnerable and out-dated versions of Microsoft and Adobe software. Technology and software sectors were found to expose the most information in documents they serve on their corporate websites.

Martin Jordan, director of information protection at KPMG, told Computing that the internet offers rich intelligence pickings for cyber attackers, and explained how they could use online documents to their advantage.

"Cyber attackers will profile the company, look at the Adobe files found on the internet and inside these documents they can find out the version of the software. Then, they would build a bespoke bit of malware designed to expose that part of software," he said.

The technology and software sectors also have employees posting far more information to online forums and newsgroups than other industries.

In the report, KPMG warned that these postings "often reveal email addresses of individuals to be targeted in spear-phishing attacks" and could also reveal personal information which could be used in targeted social engineering attacks.

Part of the research focussed on the structure of the Forbes 2000 corporate websites to identify potentially sensitive file locations or hidden functionality that may be useful to cyber attackers – with 15 per cent of the company websites offering hackers access to test functionality and private login portals that potentially allow file upload capabilities.

[Turn to next page]

Majority of top firms are leaking data that could help cyber attackers, says KPMG

Banking sector one of the worst; UK not in the top 10 offending countries

The banking sector had the largest number of potentially sensitive file locations and was third in terms of the number of documents held on their corporate websites. This surprised Jordan; although he acknowledged that it could be partly due to the number of media briefings that banks are obliged to carry out.

He also warned that banking staff were probably too open on online newsgroups.

"A lot of information about banking technology, such as core banking engines for internet platforms and for web application servers are hidden to the public – but a lot of developers will talk about this freely on the newsgroups," he said.

Overall, the UK fared well in the report and Jordan put this down to a "mature security market".

"The UK is not in the top 10 offending countries, which is good news for the UK in terms of the cyber economy. I think this is because the UK has a professional mature market in cyber security; it has been a hot topic in the UK for a long time," he claimed.

KPMG urged companies to perform an assessment of their internet presence, cleanse metadata from existing published documents, ensure all corporate devices and web servers are fully patched, educate all employees and adjust policies to minimise unintentional or undesired corporate information appearing online.