When KPMG conducted penetration tests over the last two years for 200 organisations, it was able to gain administration access of the Windows network and key applications in organisations.
KPMG was also able to gain unauthorised access into the premises of all these organisations, across both public and private sectors.
This may sound like a horror story, but this precisely is what Philip Whitmore, partner, security advisory services at KPMG, reported to the delegates at the CPA Congress last week in Auckland.
Whitmore, who spoke on 'a real world perspective on the effectiveness of IT security', revealed more sobering results of the tests across these organisations:
- In about a third (32 per cent), KPMG was able to go past the internet parameter.
- Just less than a quarter (24 per cent) of the wireless networks had vulnerabilities that allowed unauthorised access.
- Sixty two per cent of the time, KPMG was able to access sensitive information stored on laptops and mobile devices.
These are damning numbers and most organisations are not getting better at security, he states.
He pointed out security is probably becoming more and more top of mind for organisations over the last two years.
Security incidents have also been in the news, affecting organisations in the US, UK and Australia, and locally.
He said there is no obligation for New Zealand organisations to report a security or privacy breach, unlike in the United States and increasingly in other countries as well.
That is the reason why there are fewer reports involving local organisations. But the Privacy Act is being reviewed and the Privacy Commission is keen on changing that.
Basing his reports on the results of KPMG penetration tests on 200 of its clients, he listed the top 10 security issues for NZ organisations.
1. Poor quality passwords
Poor quality passwords are very common, and continue to be the number one issue.
Whitmore said 89 per cent of the organisations had administrative passwords that could be manually guessed without detection. Many of the companies did not use two-factor authentication.
2. Common initial passwords
In 78 per cent of the organisations, common passwords were used when new user accounts were created or when passwords are reset.
"Welcome" and "Monday" are the most common, said Whitmore. Moreover, 87 per cent of the organisations that used common initial passwords still had accounts which used the passwords during the tests.
3. Access to file shares not sufficiently controlled
Whitemore noted that 92 per cent of the organisations provided all users access to file shares which contained sensitive information. These include payroll information.
Sufficient consideration is usually not given to which users should have access to which directories on the various servers. This information could be a year old but is still sensitive, he said. There is a need to classify information as public, corporate and sensitive, he said. For instance, somebody could just put the customer database in a USB stick and walk out. "The value of that information is a lot."
Sign up for CIO Asia eNewsletters.