KPMG found that every single company was leaking data by leaving employee usernames, email addresses and sensitive internal file location information online, and therefore potentially could be used by hackers. In fact the firm found that, on average, 41 usernames, 44 email addresses and five sensitive internal file locations were available for each company.
Darren Anstee, Solutions Architect Global Team Lead, Arbor Networks
Cyber criminals are becoming more capable, and attacks more sophisticated. To counter this organisations have put solutions in place to detect and mitigate the various cyber-threats which can target them. Unfortunately, the weak link in a lot of cases is people, and giving attackers a head-start on useful usernames and email addresses doesn’t help.
“Organisations need to reduce their threat surface, to decrease the chance of a successful breach, and they need to ensure that they have policies and training in place so that employees can securely manage sensitive and private data. Large organisations should have the resources or services in place to ensure that they do everything possible to protect their intellectual property and their customer’s data. The Internet has brought opportunity and growth for many organisations, but it also brings risks.”
Ash Patel, Regional Director UK & Ireland, Stonesoft
With it reported only a few weeks ago by the GCHQ that British government and industry networks come under attack from sophisticated cyber operations at least 70 times a month, the revelations of this study are a major call for concern.
Businesses need to wake-up and realise how vulnerable they are in a digitalised world, and what kind of strategic cyber solutions need to embedded into company culture and practise to manage vulnerability. It’s no longer a question of ‘if’ you’ll be attacked, but ‘when’, and ignorance of the issue by FTSE companies in a hyper-digitalised world is no longer an excuse. The London Stock Exchange is at the economic heart of the country, and a successful assault could potentially cripple the nation and expose huge swathes of customer data to rogue attackers.
The British government is launching a number of schemes aimed at promoting cooperation between private and public sectors in this area, and these companies have a duty to ensure they are fully on-board.
George Anderson, Senior Product Marketing Manager for Enterprise, Webroot
These results aren’t surprising. Phishing is now the most common way companies are being breached. Our recent Webroot Web Security Survey recorded 55% of all companies being compromised by this type of attack. The issue with using public data in this way is that the email from the attacker is to all intents perfectly normal, will come from a known supplier, friend or business colleague and the phishing link appears genuine.
The poor recipient has no chance if nothing raises suspicion, even if they are ‘security aware’. Hence phishing is now the most successful cyber-attack breach – it targets the human factor and is difficult to detect. Plus, anti-phishing security technology is not working. It relies too much on trying to build blacklists of phishing sites and use those to block the users when they click on the link.
Of course commerce and industry as a whole need to recognise that security lies at the heart of human interaction and is the responsibility of everyone at the organisation – from CEO to secretary, and that security technology on its own can never be a panacea for lack of staff security awareness.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.