Giant professional services company KPMG has released a report accusing FTSE 350 companies of failing to keep their networks safe suggesting that the safety of Britain's economy and national security as a whole could also be under threat due to simple flaws in web security.
KPMG found all 350 companies guilty of unintentionally leaking data by leaving employee names, email addresses and sensitive internal file location information online - all of which could be used by hackers to potentially gain access to a company's website and servers.
Ross Parsell, Director of Cyber Security at Thales UK and an experienced member of governing bodies that decide the UK National Cyber Security Strategy commented.
“As today’s KPMG report highlights, there is currently a high level of naivety in the market regarding cyber security, resulting in many organisations unintentionally putting themselves at risk. Companies need to acknowledge that cyber security is a business issue, not just an IT issue and, if businesses haven’t realised this, their organisation is already on the back foot. The consequences of cyber attacks are now so severe that cyber defence must become a board room discussion where companies explore what measures need to be put into place to ensure they are acting proactively – not reactively.
As well as unsecured networks, an employee could pose an internal threat through malicious intent or unintentional ignorance. To combat insider threats, firms need to invest in employee security training and awareness programmes to avoid accidental breaches. Educating staff both on a companies’ own security policies and procedures, as well as industry best practice and regulatory standards , will greatly reduce the risk of an incident resulting from poor or lack of education.
There are a number of IT administered employee controls which organisations can consider, including network monitoring technology which alerts the necessary parties when rogue devices connect to the network to either infect a corporate IT system. This could help prevent the problems that KPMG has revealed in its report.”
Network security company Stonesoft echoed the concerns of Thales and similarly suggests embedding cyber security into the fabric of an organisation.
Ash Patel, Regional Director UK & Ireland for Stonesoft stated: “With it reported only a few weeks ago by the GCHQ that British government and industry networks come under attack from sophisticated cyber operations at least 70 times a month, the revelations of this study are a major call for concern.
“Businesses need to wake-up and realise how vulnerable they are in a digitalised world, and what kind of strategic cyber solutions need to embedded into company culture and practise to manage vulnerability. It’s no longer a question of ‘if’ you’ll be attacked, but ‘when’, and ignorance of the issue by FTSE companies in a hyper-digitalised world is no longer an excuse. The London Stock Exchange is at the economic heart of the country, and a successful assault could potentially cripple the nation and expose huge swathes of customer data to rogue attackers.
“The British government is launching a number of schemes aimed at promoting cooperation between private and public sectors in this area, and these companies have a duty to ensure they are fully on-board.”
Cyber security company ESET voices its concerns regarding smaller businesses, seeing the problem as being much more far-reaching if the top 350 companies are being seein as naive
Quinton Watts, VP Marketing & Sales for ESET UK explained: “It’s worrying to see organisations central to UK economic growth and prosperity falling short in terms of cyber security. Businesses up and down the country should take a moment to reflect on these findings and consider their own security culture and practises. If businesses with millions of pounds of resources available at their disposal, who should be at the forefront of cyber security, are leaving sensitive information online, it’s almost certain large swathes of the mid-market and small business economy are as well. It’s interesting to see phishing email rank particularly highly amongst methods used by attackers. Organisations should ensure they are aware of the availability of sensitive data to the public and have sufficient processes internally for handling suspect emails and enquiries. It is critical they also educate their workforce as to the risks attached to placing critical and sensitive information in the public domain.”
Thales is not alone in singling out insiders as the weak link with Arbor Networks confirming their view of putting strong policies and a training regime in place.
Darren Anstee, Solutions Architect Global Team Lead for Arbor Networks comments: “Cyber criminals are becoming more capable, and attacks more sophisticated. To counter this organisations have put solutions in place to detect and mitigate the various cyber-threats which can target them. Unfortunately, the weak link in a lot of cases is people, and giving attackers a head-start on useful usernames and email addresses doesn’t help.
“Organisations need to reduce their threat surface, to decrease the chance of a successful breach, and they need to ensure that they have policies and training in place so that employees can securely manage sensitive and private data. Large organisations should have the resources or services in place to ensure that they do everything possible to protect their intellectual property and their customer’s data. The Internet has brought opportunity and growth for many organisations, but it also brings risks.”
Internet security company Webroot comes at it from a slightly different angle. Phishing attacks on companies exploit the weak link of human nature with employees sometimes opening the door to the company jewels based on communications which they trust and which are then exploited.
George Anderson, Senior Product Marketing Manager for Enterprise, Webroot says: “These results aren’t surprising. Phishing is now the most common way companies are being breached. Our recent Webroot Web Security Survey recorded 55% of all companies being compromised by this type of attack. The issue with using public data in this way is that the email from the attacker is to all intents perfectly normal, will come from a known supplier, friend or business colleague and the phishing link appears genuine. The poor recipient has no chance if nothing raises suspicion, even if they are ‘security aware’. Hence phishing is now the most successful cyber-attack breach – it targets the human factor and is difficult to detect. Plus, anti-phishing security technology is not working. It relies too much on trying to build blacklists of phishing sites and use those to block the users when they click on the link.
“Of course commerce and industry as a whole need to recognise that security lies at the heart of human interaction and is the responsibility of everyone at the organisation – from CEO to secretary, and that security technology on its own can never be a panacea for lack of staff security awareness.”