Many global firms unaware of online risk, finds KPMG

Many global organisations could do a lot more to protect their private data and reduce exposure to attacks by hackers, according to KPMG. 

More than three quarters of organisations in the Forbes 2000 are leaking data, potentially creating opportunities for cyber attackers, according KPMG's first Cyber Vulnerability Index.

Banking is by far the worst offender in the number of sensitive file locations found on websites and 71% of companies may be using potentially vulnerable and outdated versions of Microsoft and Adobe software, the study found.

However, the UK stood out as relatively well-protected compared to its international counterparts, not even featuring in the top 10 most vulnerable countries.

Switzerland (40%), Japan (22%) and Spain (9%) were the top three countries who were most open to attack via vulnerable web server software. 

Emerging markets Brazil, China, Thailand and Saudi Arabia, are also at risk.

For the study, KPMG’s Cyber Response team simulated the initial steps would-be cyber attackers might undertake against the Forbes 2000 list of global companies using public domain data over a period of six months.

The data that can be downloaded, the report said, can provide cyber attackers with a view of corporate network users, their e-mail addresses, the software versions they use to create documents and internal network locations where files are stored. 

For example, KPMG managed to collect an average of 210 usernames per site and 171 e-mail addresses.

The study also found technology and software sectors are most likely to disclose information in metadata in posts to online forums and newsgroups. 16% of companies may be vulnerable to attack due to poor patching or the use of out-of-date server software on their websites.

The utilities sector was identified as being the most vulnerable sector affected by issues with out-of-date software on their web servers. As a result, a successful attack on the website could lead to the attacker gaining control of the web server and its content.

Based on the research, KPMG said it is clear companies should do more to cleanse the amount of data they leak on the internet and should spring-clean their public-facing documents of metadata. 

“The world of cyber security has been tilted on its axis over the past two years- from the actions of hacktivists and associated groups - through to state sponsored agencies with seemingly unlimited resources," said Martin Jordan, director of information protection at KPMG.

Attackers are aiming for an increased competitive edge or to gain better access to greater intellectual property, whatever their level of sophistication, he said.

"While it’s difficult to stop these groups, companies can, at the very least, deny them ‘open all areas’ access to their secrets which unwittingly, they may have laid bare,” said Jordan.

But, he said, the finding sent out a clear message to business: "While the internet may be your shop window to the world – it can also be a substantial security risk as well.”