ICO publishes guide on top IT security failings

The ICO has published a report on eight of the most common IT security falings and how to avoid them

The Information Commissioner’s Office (ICO) has published a security report highlighting eight of the most common IT security vulnerabilities.

The top reasons organisations have failed to keep personal data secure have been drawn from the ICO’s investigations into data breaches.

Many of these incidents have led to serious security breaches resulting in the ICO issuing monetary penalties totalling almost a million pounds to date.

They include the £200,000 penalty issued to the British Pregnancy Advice Service, after user details were stored insecurely on the charity's website and compromised.

The ICO issued a £250,000 penalty to Sony Computer Entertainment Europe after the company failed to keep its software up to date, leading to the details of millions of customers being compromised.

According to the ICO, the breaches could have been avoided or the consequences significantly reduced if the standard industry practices highlighted in the report had been adopted.

“In just the past couple of months we have already seen widespread concern over the expiry of support for Microsoft XP and the uncovering of the security flaw known as Heartbleed,” said Simon Rice, the ICO’s group manager for technology.

“While these security issues may seem complex, it is important that organisations of all sizes have a basic understanding of these types of threats and know what action they need to take to make sure their computer systems are keeping customers’ information secure,” he said.

Rice said ICO investigations have shown that, while some organisations are taking IT security seriously, too many are failing at the basics.

“If you are responsible for the security of your organisation’s information and you think salt is just something you put on your chips, rather than a method for protecting your passwords, then our report is for you,” he said.
The ICO said the report provides an introduction into established industry practices that could save UK organisations the financial and reputational costs associated with a serious data breach.

The report is aimed at providing an accessible document that builds and compliments the ICO’s previous IT security guidance for small businesses.

“The report provides data protection officers with the opportunity to learn from the mistakes of others, so that they can make sure their IT systems are better protected against the most common threats,” Rice wrote in the first of series of blog posts on the topics covered by the report.

The top eight security vulnerabilities covered in the ICO’s report:

  • Failure to keep software security up to date
  • Lack of protection from SQL injection
  • Use of unnecessary services
  • Poor decommissioning of old software and services
  • Insecure storage of passwords
  • Failure to encrypt online communications
  • Poorly designed networks processing data in inappropriate areas
  • Continued use of default credentials including passwords


Read more on Privacy and data protection