An analysis by the firm’s cyber response team reveals that companies vital to the UK’s economic growth and crucial to national security, are leaking data that can be used by cyber attackers.
According to the report, this data is readily available in the public domain and could be used to gain control of intellectual property, perpetrate fraud and inflict reputational damage.
The report is based on a simulation of the initial steps a would-be cyber attacker might undertake using public domain data without breaching security.
KPMG found that every single company on the FTSE 350 list was leaking data by leaving employee usernames, email addresses and sensitive internal file location information online.
The cyber response team found that, on average, 41 usernames, 44 email addresses and five sensitive internal file locations were available for each company.
Companies in the aerospace and defence sector recorded the highest number of exposed internal email addresses which attackers typically use to send phishing emails to gain entry to a company’s network.
Read more about cyber security
- UK takes cyber threats to infrastructure seriously
- UK government sets up cyber security fusion cell
- Cyber attacks top banking risk, says Bank of England
- UK to launch public cyber security awareness campaign
- Israel launches cyber warfare training programme
- Half of companies lack cyber threat knowledge
- Top cyber threats underline need for security awareness
- Cyber security at US energy agency found wanting
Martin Jordan, head of cyber response at KPMG said the research shows that companies do not have full control of their web presence.
“Hacking has become automated on an industrial scale – often with state-sponsored agencies behind it – and attackers are aiming for an increased competitive edge by stealing company secrets and IP, or purely seeking financial gain through fraud,” he said.
While it’s difficult to stop these groups, he said companies can, at the very least, deny them open access to their secrets.
“Our findings send out a clear message to business – while the internet may be a shop window to the world – it can also be a substantial security risk,” said Jordan.
“FTSE 350 companies should accept that cyber threats are real. Protecting their networks is not just about self-interest; is about safeguarding the economy and, in the case of critical national infrastructures, it is also about the safety of the population,” he said.
KPMG also found that 53% of the FTSE 350 did not have up to date security patches or were using old server software, making them potentially vulnerable to attack.
Companies in the support services sector and, ironically, also the software and computer services sector, were found to be at the top of the list in terms of sectors with the most vulnerabilities.