The director of the UK’s national computer emergency response team has said 80% of the security issues his team records could be prevented if basic security measures were in place.
Chris Gibson told the Public Sector ICT Summit that an assumption on the part of many SMEs that no-one would bother to hack their systems, coupled with the prevalence of “phishing” was responsible for the hundreds of thousands of incidents a year.
The CERT-UK director told the March 1 event, organised by PublicTechnology’s parent company Dods, that the country was still witnessing an “appalling level of malware” that was easy to counter with the right measures.
“One third of everything we see is phishing, which leads to malware, which leads to a breach, time and time again,” he said.
“There have been 530,000 Conficker infections in the last year or so. It’s an eight year old vulnerability, and that’s where we get challenged.”
Gibson said wider use of basic security measures, such as those outlined in the government-backed Cyber Essentials Scheme, would allow for industry professionals to place greater emphasis on proactively identifying new threats.
“If you put in the cyber essentials, the fairly simple stuff that we all know about: passwords; patching, having a governance process and so on, 80% of the problems that we deal with would disappear in a puff of smoke,” he said.
“Having cyber essentials in place would actually reduce some of the harm effects of zero-day vulnerabilities which we see.”
Gibson said many small and medium-sized businesses deluded themselves that they were not of interest to hackers, but failed to realise how they would be targeted.
“The idea that ‘they won’t hit me’ is just nonsense because they will and they do,” he said.
“They can run the tools all day, they can hack anything they can to see where it will go. They’re looking for big data because that’s where the money is.”
Gibson referenced the high profile attacks on entertainment giant Sony and French television station TV5 Monde last year, but reserved particular admonition for phone, TV and internet-services provider TalkTalk, which was subjected to a cyber attack in October 2015 that saw the personal details of 156,000 customers accessed. TalkTalk said 10% of those customers also had their bank details accessed.
“I don’t think TalkTalk was targeted, I think that the guy ran a script and found a hole that happened to be at TalkTalk,” Gibson said. “It wasn’t targeted, it was vulnerability based.”
He added that the age of the vulnerabilities exploited at TalkTalk was “embarrassing”.