IT security professionals must get better at doing the basics right, starting with clear communication with other teams, if they’re to effectively mitigate the risk of breaches, according to Akamai.
The vendor’s global security advocate, Dave Lewis, told attendees at Infosecurity Europe in London this morning that the majority of brach incidents still stem from basic security errors such as failure to patch promptly.
An “obsession with zero days” threatens to further derail patching efforts and other basic security steps, he warned.
Fourth quarter Akamai data shared during the presentation revealed that SQLi attacks accounted for over half of recorded threats in the period, despite this being an OWASP Top 10 threat for over a decade.
The devastating impact of the WannaCry ransomware ‘worm’ also illustrates the problem many organizations still have with patching.
IT security needs to go back to basics to reduce the chance of damaging breaches, starting with better communication, Lewis argued.
“Things can and do go wrong. As infosec professionals we tend to view things as ‘us versus them’, but if you do that you’ve lost,” he said.
“We also have a really bad habit of assuming everyone knows about security when they don’t.”
Security professionals instead need to talk in terms of business risk, so functions including procurement, HR and even developers better understand the impact of security issues, he argued.
Internal audit teams can help IT security develop more effective breach plans, while the compliance department might also be an unlikely ally, Lewis argued.
Getting the basics right is even more important when one considers the advances that cyber-criminals and nation state hackers are making all the time.
Lewis referenced a security event earlier this year in which DARPA computers used machine learning technology to independently hunt for zero day threats. The concern is that the black hats will try similar tools and techniques going forward.