The castigation of enterprise security professionals came as TalkTalk was hit with a fine by the Information Commissioner’s Office (ICO) for failing to take basic steps to protect customer information.
The fine of £400,000 comes in response to the theft of the personal data of around 157,000 customers in October 2015.
The ICO found from its investigation that TalkTalk hosted three webpages that were vulnerable to SQL injections.
To demonstrate his point, Ferguson asked the audience a series of questions around basic security, asking for a show of hands, with very few raising their hands to say that their data was encrypted or that they used multi-factor authentication.
“Because enterprises are not doing enough about the basics of security, these attacks continue. Citizens are impacted by these hacks. They are all related to an enterprise,” he said.
James Lyne, Head of Security Research at Sophos, agreed that “we’re all failing” but said that not all organisations were as culpable as those which were impacted by basic attacks.
“We’re about to enter a period where we’re going to name and shame,” he said, referring to the introduction of GDPR in 2018.
“I’m concerned that we’re putting all of those people in the category of negligent idiots,” said Lyne.
“There are also cases where people get hit by zero-days that they really couldn’t do anything about.”
The two were speaking on a panel also featuring Eugene Kaspersky, CEO of Kaspersky Lab.
Ferguson said that the solution for enterprises was to educate themselves and their workforces about security, as well as addressing basic issues such as encryption of data and defending against well-known vulnerabilities such as SQL injections.
This article is from the CBROnline archive: some formatting and images may not be present.
Join Our Newsletter
Want more on technology leadership?
Sign up for Tech Monitor's weekly newsletter, Changelog, for the latest insight and analysis delivered straight to your inbox.