KPMG study reveals FTSE 350 firms leaking data
July 2013 by KPMG
“Cyber criminals are becoming more capable, and attacks more sophisticated. To counter this organisations have put solutions in place to detect and mitigate the various cyber-threats which can target them. Unfortunately, the weak link in a lot of cases is people, and giving attackers a head-start on useful usernames and email addresses doesn’t help.
“Organisations need to reduce their threat surface, to decrease the chance of a successful breach, and they need to ensure that they have policies and training in place so that employees can securely manage sensitive and private data. Large organisations should have the resources or services in place to ensure that they do everything possible to protect their intellectual property and their customer’s data. The Internet has brought opportunity and growth for many organisations, but it also brings risks.”
Comment from George Anderson, Senior Product Marketing Manager for Enterprise, Webroot:
“These results aren’t surprising. Phishing is now the most common way companies are being breached. Our recent Webroot Web Security Survey recorded 55% of all companies being compromised by this type of attack. The issue with using public data in this way is that the email from the attacker is to all intents perfectly normal, will come from a known supplier, friend or business colleague and the phishing link appears genuine. The poor recipient has no chance if nothing raises suspicion, even if they are ‘security aware’. Hence phishing is now the most successful cyber-attack breach – it targets the human factor and is difficult to detect. Plus, anti-phishing security technology is not working. It relies too much on trying to build blacklists of phishing sites and use those to block the users when they click on the link.
“Of course commerce and industry as a whole need to recognise that security lies at the heart of human interaction and is the responsibility of everyone at the organisation – from CEO to secretary, and that security technology on its own can never be a panacea for lack of staff security awareness.”