Many of the cyber attacks that organisations are facing exploit failings in basic cyber security practices such as poor software patching, according to Kevin Fielder, CISO of Just Eat.
“Certainly the attacks we are seeing are not that sophisticated at all,” he told attendees of Infosecurity Europe 2018 in London.
“They typically target common, well-known vulnerabilities such as SQL injection, but they still work so they are what cyber attackers target the most.”
While it is important for every organisation to understand the threats that they are most likely to face, because every organisation is different, Fielder said the overall trends he is seeing is that although most attacks are simple, they are getting bigger and faster and growing in number.
“The increasing use of vast botnets means attackers are able to ramp up attacks much faster than in the past,” he said.
But there is also evidence that attackers are getting smarter in their ability to avoid detection by controls designed to block automated attacks.
“We are also seeing attacks that are lower, slower and more distributed in an attempt to stay below the detection thresholds of controls,” said Fielder.
“Organisations will be able to block a lot of the attacks we are seeing by simply ensuring that they know where their most critical data assets are located and that they are appropriately protected,” he said.
“It is all about doing the basics such as monitoring key assets, putting in effective access controls, analysing behaviour for anomalies and automating as many low-level tasks as possible to alleviate the pressure on security teams and free them up to do more interesting work.”
Train up talent in workplace
Fielder also challenged the claims that cyber security positions are very difficult or impossible to fill. “I think part of the problem is that many organisations are not looking in the right places,” he said.
Fielder believes that organisations typically overlook the potential of people with enthusiasm and the right mindset already working in other parts of the organisation.
“New security staff often have to be trained to bring them up to speed on how the business works, so organisations should look for people in the organisation who already know the business to train them and bring them up to speed on security,” he said.
As well as building a good security team by, drawing on existing employees, Fielder said organisations should ensure their security teams engage with other teams across the business to work together to build a cyber security culture.
“Cyber security should be everyone’s responsibility, and by teams working together they can get the culture out there to achieve common goals,” he said.
Fielder also advised businesses to engage more with cyber security teams on problems they encounter as soon as possible. “To encourage this, security teams should make themselves approachable and give people in the organisation confidence to talk to them about their concerns without fear,” he said.
In addition to working across their own organisations, Fielder said it is equally as important for cyber security teams to engage with their peers in other organisations.
“Information security professionals should share threat information and information about what works and what doesn’t with their peers, in other industries if necessary due to competitive concerns,” he said.
“This type of information sharing is often much more useful than cyber threat intelligence feeds, which provide no information about context or how others are dealing with a particular threat.”
Fielder said this can often be done on an informal basis in small groups of professionals who know and trust each other and help each other out in a crisis.