Executives’ failure to put in place basic cyber security measures poses a greater threat to organisations than cutting-edge exploits, according to the National Cyber Security Centre’s operations chief Paul Chichester.
Speaking at Infosecurity Europe on Wednesday, Chichester said that while tech professionals want to focus on the next attack vector, a significant number are “still not doing the basics”.
“We keep wanting to focus on the next shiny thing, but hackers don’t need to be that good to have global impact. Getting people to focus on the basics is far more important.”
The risks of failing to maintain good cyber hygiene were laid bare last year with the emergence of WannaCry and NotPetya ransomware. The two viruses relied on Windows vulnerabilities that had been patched, but many organisations had not updated their operating systems in time.
“The adversaries are certainly still innovating, but from an NCSC point of view we are still really keen that people do the cyber hygiene,” Chichester explained. “That will have a huge impact across the UK.”
The NHS was among the organisations worst hit when WannaCry emerged last May. But despite government assurances that the health service’s cyber defences would be boosted in light of the attack, it was revealed in February that every NHS trust tested had failed a security resilience assessment.
James Lyne, head of security research at Sophos, told attendees that putting the basics in place can be hard and that organisations are doing a better job now than ever before: “I don’t think it’s that everyone here is so saying, ‘oh, well I can’t be bothered to do them’.”
Lyne also talked up the ways machine learning could transform organisations’ cyber defences. But he warned: “Even that as an amazing technology doesn’t eradicate the importance of proper security awareness processes.”
Concluding the session, Chichester said the next generation of cyber security professionals should inspire confidence in the UK’s cyber future: “I spend a lot of time with apprentices, with the cyber first events that we do and looking at some of the amazing talent from people wanting to work in this business. The talent pipeline is the thing that gives me real cause for optimism.”
NCSC oversees the government’s Cyber Essentials programme, which provides advice to businesses on how to secure their networks. Steps include using a firewall, choosing secure settings for devices and regularly patching operating systems.