IT Expo panel blasts enterprises for not taking “basic” cyber security steps.
Cyber security was one of the main topics on the IP Expo agenda, but a ‘Future of Cyber Security’ panel featured an unusually strong message from participants to enterprises: you are failing.
Rik Ferguson, Global VP of Security Research at Trend Micro, asked by moderator Rory Cellan-Jones from the BBC what scared him most, said “the people in the room.”
Apologising for “alienating” most of the audience, he said that the people responsible for security in enterprises were doing a poor job.
“TalkTalk is a great example: it shouldn’t be possible in 2016 to carry out an SQL injection. A SQL injection should fail.”
The castigation of enterprise security professionals came as TalkTalk was hit with a fine by the Information Commissioner’s Office (ICO) for failing to take basic steps to protect customer information.
The fine of £400,000 comes in response to the theft of the personal data of around 157,000 customers in October 2015.
The ICO found from its investigation that TalkTalk hosted three webpages that were vulnerable to SQL injections.
To demonstrate his point, Ferguson asked the audience a series of questions around basic security, asking for a show of hands, with very few raising their hands to say that their data was encrypted or that they used multi-factor authentication.
“Because enterprises are not doing enough about the basics of security, these attacks continue. Citizens are impacted by these hacks. They are all related to an enterprise,” he said.
James Lyne, Head of Security Research at Sophos, agreed that “we’re all failing” but said that not all organisations were as culpable as those which were impacted by basic attacks.
“We’re about to enter a period where we’re going to name and shame,” he said, referring to the introduction of GDPR in 2018.
“I’m concerned that we’re putting all of those people in the category of negligent idiots,” said Lyne.
“There are also cases where people get hit by zero-days that they really couldn’t do anything about.”
The two were speaking on a panel also featuring Eugene Kaspersky, CEO of Kaspersky Lab.
Ferguson said that the solution for enterprises was to educate themselves and their workforces about security, as well as addressing basic issues such as encryption of data and defending against well-known vulnerabilities such as SQL injections.