Cyber-resilience chief laments ‘appalling level of malware’

Written by Jim Dunton on 2 March 2016 in News

The director of the UK’s national computer emergency response team has said 80% of the security issues his team records could be prevented if basic security measures were in place.

Chris Gibson told the Public Sector ICT Summit that an assumption on the part of many SMEs that no-one would bother to hack their systems, coupled with the prevalence of “phishing” was responsible for the hundreds of thousands of incidents a year.

The CERT-UK  director told the March 1 event, organised by PublicTechnology’s parent company Dods, that the country was still witnessing an “appalling level of malware” that was easy to counter with the right measures.

“One third of everything we see is phishing, which leads to malware, which leads to a breach, time and time again,” he said.

“There have been 530,000 Conficker infections in the last year or so. It's an eight year old vulnerability, and that's where we get challenged.”

Gibson said wider use of basic security measures, such as those outlined in the government-backed Cyber Essentials Scheme, would allow for industry professionals to place greater emphasis on proactively identifying new threats.

Related content

Matt Hancock announces UK-Israeli cyber-physical tie-up

UK public sector faces biggest malware threat

“If you put in the cyber essentials, the fairly simple stuff that we all know about: passwords; patching, having a governance process and so on, 80% of the problems that we deal with would disappear in a puff of smoke,” he said.

“Having cyber essentials in place would actually reduce some of the harm effects of zero-day vulnerabilities which we see.”

Gibson said many small and medium-sized businesses deluded themselves that they were not of interest to hackers, but failed to realise how they would be targeted. 

“The idea that ‘they won't hit me’ is just nonsense because they will and they do,” he said.

“They can run the tools all day, they can hack anything they can to see where it will go. They're looking for big data because that's where the money is.”

Gibson referenced the high profile attacks on entertainment giant Sony and French television station TV5 Monde last year, but reserved particular admonition for phone, TV and internet-services provider TalkTalk, which was subjected to a cyber attack in October 2015 that saw the personal details of 156,000 customers accessed. TalkTalk said 10% of those customers also had their bank details accessed. 

“I don't think TalkTalk was targeted, I think that the guy ran a script and found a hole that happened to be at TalkTalk,” Gibson said. “It wasn't targeted, it was vulnerability based.”

He added that the age of the vulnerabilities exploited at TalkTalk was "embarrassing".

Share this page




Please login to post a comment or register for a free account.


Submitted on 3 March, 2016 - 12:34
It completely staggers me, and I begin to wonder if this who issue with tardiness isn't simply a ruse. We all know that the biggest area of 'insecurity' is the one identified as 'people'. A lack of education (or a lack of response to educate staff sufficiently to begin to weed out the most obvious potential issues). Why? Digital Leaders Nw @DigitalNW had this very issue at the core of the salon discussions last week... and everyone knew what was needed. You will not stop malware because it is too often successful, and reaps rewards for the perpetrators, but you can limit the impact it is likely to have by ensuring everything that can be done is in place to limit its prevalence. I have a Mac, I use iOS. I see malware, Malware gets rejected, but I still stay alert. I worked for a local authority that would not see its way forward to move away from Windows XP. XP is still in use. I recently worked for a corporate with a predominance of XP in place. What is their problem? Is it a desire to fly close to the edge? Whose fault will it be when disaster strikes? I watched my ex- council battle a Conficker outbreak (seems like yesterday). I read the reports, saw the evidence - alas I didn't get the overtime... The cost was huge, the impact seemingly also huge was addressed by new hardware firewalls, long overdue. No one was held as responsible. That, to me, is the issue now. Malware is unfortunate, and it exists, but when it bites, and even if it bites hard and because of a lack of attention to the real needs to secure ourselves effectively, or even educate staff, no one one is held responsible. It is just public money, after all.

Related Articles

Government defeats Tory rebellion in Commons Huawei vote
11 March 2020

An amendment that would have guaranteed the removal of the Chinese vendor’s kit by 2023 was not passed


Downing Street website for special adviser jobs slammed by civil service union chief
2 March 2020

FDA general secretary Dave Penman says online recruitment of digital and comms specialists ‘looks like a ruse to get around open and fair selection’