Awareness of cyber security must move from the IT department to the boardrooms of Britain's biggest companies, the government insists, following the launch of the Cyber Governance Health Check.

Cyber security
MI5 and GCHQ say cyber security knowledge must extend from IT department to boardroom. (Credit: Reuters)

The initiative asks company board members to complete a questionnaire assessing the cyber awareness of their businesses and is designed to gauge the extent to which FTSE 350 boards and audit committee chairmen understand and oversee risk measures addressing cyber security threats.

The launch of the government's initiative comes a day after a report published by KPMG claimed all FTSE 350 companies leak employee names, email addresses and sensitive internal file location information, all of which can be publicly accessed and used to launch cyber and phishing attacks.

Health check

Both MI5 director general Andrew Parker and GCHQ director Sir Iain Lobban have written to the FTSE 350 companies, urging their chairmen to take part in the cyber security health check.

UK chairman of KPMG, Simon Collins, said: "The government's initiative is a welcome and timely addition to the fight against cyber crime. It will raise the profile of the risks and highlight that all of us, as part of UK plc, need to plug gaps in our security before leaks become a flood."

KPMG has agreed to support the government's initiative by helping FTSE 350 companies identify potential flaws in their cyber security procedures, with an aim of providing a benchmark for the FTSE 350 to use and ascertain the best approach to improving cyber security.

Glass houses

While the KPMG report was widely reported, security experts were quick to point out that KPMG's own website also reveals such sensitive information, with Graham Cluley telling the BBC that he was able to see 2,742 results when he searched for KPMG employees via the LinkedIn social network - all of whom could be emailed by someone posing as the company chairman.

"The email could say something like 'Great news team! We have launched a new KPMG intranet at (insert dangerous link here). Simply login with your usual network username and password to get the new great content...' and chances are that I would phish [lure them into clicking a malicious link and entering login details] some of the KPMG team."

Cluley added: "Oh dear - documents marked 'confidential' on KPMG's website, accessible via a simple Google search." A screenshot of the search results sent to the BBC read: "This document is CONFIDENTIAL and its circulation and use are RESTRICTED under the terms of KPMG's engagement letter."

Security researcher Robin Wood told SC Magazine that running two commonly available tools on KPMG's website found "over 400 email addresses, 164 users, 112 PC names and quite a lot of internal directories."

Highlight concerns

In response to the findings, KPMG told IBTimes UK: "As you might expect, KPMG put its own site through the same examination as we did other sites. We recognise that many websites provide some level of data leakage and with this in mind, the purpose of our report is to highlight concerns so they can be dealt with, rather than highlight individual weak spots. We were careful not to reveal specific weaknesses of any company as it would be inappropriate to do so."

Earlier this week, kitchen retailer Lakeland admitted it had been the victim of a "sophisticated and sustained attack," revealing hackers had gained access to two encrypted databases containing customers' passwords.

Managing director Sam Rayner said: "The security of our customers' data is hugely important to us and we are devastated to have fallen victim to these criminals. This has occurred despite the best efforts of ourselves and the industry leading IT company that runs our website for us to use the best security systems available."