As demonstrated by KPMG's recently published report, Cyber Vulnerability Index, many global organisations are inadvertently leaking huge amounts of private data and potentially creating opportunities for cyber attackers.
Hackers will gleefully take advantage of this disclosed information as they plan and enhance their methods of attack. It is possible to effectively reduce your organisation’s exposure to this risk, however, and make it a less attractive target by taking the following key steps.
It is important to first find out where you stand. Is your internet presence already locked down tightly, or is your organisation one of the 75% of top companies which are exposing more sensitive data than intended?
KPMG works with many organisations and their in-house security teams to conduct this kind of assessment quickly and with minimal disruption to demonstrate how secure websites really are against outside intruders.
Key to keeping sites secure is not leaving vulnerable servers and metadata leakage as unknowns in your organisation’s risk register.
Reduce your current exposure. As much as possible, go through currently published documents and web pages, removing unnecessary metadata such as internal usernames, email addresses, application version numbers and IP addresses, which all help potential attackers plan how they can compromise your systems.
If this kind of information is scarce or unavailable, it is more likely that casual and opportunistic attackers will search for an easier target elsewhere. Conversely, where a great deal of this information is leaked, an attacker is likely to assume your organisation is a viable target.
Similarly, it is vitally important to ensure that internet-facing systems are kept fully patched and updated.
The Australian DSD (analogous to GCHQ and the NSA) recently advised that patching of applications and operating systems are the top two methods of defending against cyber attacks. This must extend to all corporate devices which access the internet as much as to public web servers. The vast majority of cyber attacks exploit vulnerabilities for which a patch is already available.
Everyone in the organisation, from the boardroom to the mailroom, must understand the value and sensitivity of the information they possess and how to protect it.
Annual security awareness training has its place, but such programmes often deliver limited value. To be effective, training must be backed up by well-designed procedures and a corporate culture that takes security seriously.
Most employees are happy and willing to follow reasonable security procedures when they understand how to carry it out and the reasoning behind it.
However, cumbersome and poorly communicated security procedures are frequently ignored even by the best employees, whose primary focus is on “getting the job done”.
A good example must therefore be set from the top.
To ensure that data leaking problems have been dealt with permanently, policy adjustments should also be made.
The various procedures and solutions discussed above need to become part of business-as-usual within your organisation. Without the visible backing of the board for new or updated policies, any gains from implementing the above steps are likely to fade over the long term.
Undue leaking of information online will make any organisation an attractive target for cyber attack. However, this risk can be reduced by assessing your current status, performing immediate remedial action, and instigating longer-term educational and policy changes to develop a corporate culture that works to protect your sensitive information.
Martin Jordan (pictured) is director of information protection at KPMG Risk Consulting.