Cyber-resilience chief laments ‘appalling level of malware’

Written by Jim Dunton on 2 March 2016 in News

The director of the UK’s national computer emergency response team has said 80% of the security issues his team records could be prevented if basic security measures were in place.

Chris Gibson told the Public Sector ICT Summit that an assumption on the part of many SMEs that no-one would bother to hack their systems, coupled with the prevalence of “phishing” was responsible for the hundreds of thousands of incidents a year.

The CERT-UK  director told the March 1 event, organised by PublicTechnology’s parent company Dods, that the country was still witnessing an “appalling level of malware” that was easy to counter with the right measures.

“One third of everything we see is phishing, which leads to malware, which leads to a breach, time and time again,” he said.

“There have been 530,000 Conficker infections in the last year or so. It's an eight year old vulnerability, and that's where we get challenged.”

Gibson said wider use of basic security measures, such as those outlined in the government-backed Cyber Essentials Scheme, would allow for industry professionals to place greater emphasis on proactively identifying new threats.

Related content

Matt Hancock announces UK-Israeli cyber-physical tie-up

UK public sector faces biggest malware threat

“If you put in the cyber essentials, the fairly simple stuff that we all know about: passwords; patching, having a governance process and so on, 80% of the problems that we deal with would disappear in a puff of smoke,” he said.

“Having cyber essentials in place would actually reduce some of the harm effects of zero-day vulnerabilities which we see.”

Gibson said many small and medium-sized businesses deluded themselves that they were not of interest to hackers, but failed to realise how they would be targeted. 

“The idea that ‘they won't hit me’ is just nonsense because they will and they do,” he said.

“They can run the tools all day, they can hack anything they can to see where it will go. They're looking for big data because that's where the money is.”

Gibson referenced the high profile attacks on entertainment giant Sony and French television station TV5 Monde last year, but reserved particular admonition for phone, TV and internet-services provider TalkTalk, which was subjected to a cyber attack in October 2015 that saw the personal details of 156,000 customers accessed. TalkTalk said 10% of those customers also had their bank details accessed. 

“I don't think TalkTalk was targeted, I think that the guy ran a script and found a hole that happened to be at TalkTalk,” Gibson said. “It wasn't targeted, it was vulnerability based.”

He added that the age of the vulnerabilities exploited at TalkTalk was "embarrassing".

Share this page




Please login to post a comment or register for a free account.


Submitted on 3 March, 2016 - 12:34
It completely staggers me, and I begin to wonder if this who issue with tardiness isn't simply a ruse. We all know that the biggest area of 'insecurity' is the one identified as 'people'. A lack of education (or a lack of response to educate staff sufficiently to begin to weed out the most obvious potential issues). Why? Digital Leaders Nw @DigitalNW had this very issue at the core of the salon discussions last week... and everyone knew what was needed. You will not stop malware because it is too often successful, and reaps rewards for the perpetrators, but you can limit the impact it is likely to have by ensuring everything that can be done is in place to limit its prevalence. I have a Mac, I use iOS. I see malware, Malware gets rejected, but I still stay alert. I worked for a local authority that would not see its way forward to move away from Windows XP. XP is still in use. I recently worked for a corporate with a predominance of XP in place. What is their problem? Is it a desire to fly close to the edge? Whose fault will it be when disaster strikes? I watched my ex- council battle a Conficker outbreak (seems like yesterday). I read the reports, saw the evidence - alas I didn't get the overtime... The cost was huge, the impact seemingly also huge was addressed by new hardware firewalls, long overdue. No one was held as responsible. That, to me, is the issue now. Malware is unfortunate, and it exists, but when it bites, and even if it bites hard and because of a lack of attention to the real needs to secure ourselves effectively, or even educate staff, no one one is held responsible. It is just public money, after all.

Related Articles

Cabinet reshuffle: What does it mean for digital government?
22 September 2021

Julia Lopez, the minister responsible for GDS and CDDO, has moved departments – but the digital divisions may now receive more attention from the top of the Cabinet Office

Watchdog rebukes Cummings over post-government touting for business
17 September 2021

Acoba chief says future applications will not be considered unless former adviser co-operates with committee

Treasury eyes 50:50 split between office and remote working
7 September 2021

Job advertisements specify “two-to-three days a week” in the office for London and Darlington roles

‘We need to use tech to keep up with scams’ – UK advertising regulator
2 August 2021

David Currie explains that there is an ‘arms race’ between web platforms and criminals that are equally sophisticated