The Information Commissioner’s Office (ICO) has published a security report highlighting eight of the most common IT security vulnerabilities.
The top reasons organisations have failed to keep personal data secure have been drawn from the ICO’s investigations into data breaches.
Many of these incidents have led to serious security breaches resulting in the ICO issuing monetary penalties totalling almost a million pounds to date.
The ICO issued a £250,000 penalty to Sony Computer Entertainment Europe after the company failed to keep its software up to date, leading to the details of millions of customers being compromised.
More in the ICO
- ICO issues data protection warning to users of Windows XP
- ICO updates corporate plan for better data protection
- ICO fines charity £200,000 for data breach
- Infosec 2014: Act now, but no new EU data protection law before 2017, says ICO
- The ICO issues BYOD warning after breach
- ICO denies bias against public sector organisations
- Small businesses must encrypt customer data, says ICO
- ICO issues £200,000 penalty for failed IT disposal
- ICO fines Glasgow City Council for loss of unencrypted laptops
- ICO publishes cloud data guidelines
- ICO warns GP practice over hacked webmail account
According to the ICO, the breaches could have been avoided or the consequences significantly reduced if the standard industry practices highlighted in the report had been adopted.
“In just the past couple of months we have already seen widespread concern over the expiry of support for Microsoft XP and the uncovering of the security flaw known as Heartbleed,” said Simon Rice, the ICO’s group manager for technology.
“While these security issues may seem complex, it is important that organisations of all sizes have a basic understanding of these types of threats and know what action they need to take to make sure their computer systems are keeping customers’ information secure,” he said.
Rice said ICO investigations have shown that, while some organisations are taking IT security seriously, too many are failing at the basics.
“If you are responsible for the security of your organisation’s information and you think salt is just something you put on your chips, rather than a method for protecting your passwords, then our report is for you,” he said.
The ICO said the report provides an introduction into established industry practices that could save UK organisations the financial and reputational costs associated with a serious data breach.
The report is aimed at providing an accessible document that builds and compliments the ICO’s previous IT security guidance for small businesses.
“The report provides data protection officers with the opportunity to learn from the mistakes of others, so that they can make sure their IT systems are better protected against the most common threats,” Rice wrote in the first of series of blog posts on the topics covered by the report.
The top eight security vulnerabilities covered in the ICO’s report:
- Failure to keep software security up to date
- Lack of protection from SQL injection
- Use of unnecessary services
- Poor decommissioning of old software and services
- Insecure storage of passwords
- Failure to encrypt online communications
- Poorly designed networks processing data in inappropriate areas
- Continued use of default credentials including passwords