Top IT data security threats revealed and what organisations must do to stop them
12 May 2014 11:34 AM
The Information Commissioner’s Office
(ICO) has published a new security
report highlighting eight of the most common IT security
vulnerabilities that have resulted in organisations failing to keep
people’s information secure.
The flaws were
identified during the ICO’s investigations into data breaches caused by
poor IT security practices. Many of these incidents have led to serious
security breaches resulting in the ICO issuing monetary penaltiestotalling
almost a million pounds. The breaches could have been avoided if the standard
industry practices highlighted in today’s report were
adopted.
They include the £200,000 penalty issued to the
British Pregnancy Advice Service after the details of service users were
compromised due to the insecure collection and storage of the information on
their website, and the £250,000 fine issued to Sony Computer
Entertainment Europe after the company failed to keep its software up to date,
leading to the details of millions of customers being compromised during a
targeted attack.
Announcing the publication of today’s advice the
ICO’s Group Manager for Technology, Simon Rice, said:
“In just the past couple of months we have already
seen widespread concern over the expiry of support for Microsoft XP and the
uncovering of the security flaw known as Heartbleed. While these security
issues may seem complex, it is important that organisations of all sizes have a
basic understanding of these types of threats and know what action they need to
take to make sure their computer systems are keeping customers’
information secure.
“Our experiences investigating data breaches on a
daily basis shows that whilst some organisations are taking IT security
seriously, too many are failing at the basics. If you’re responsible for
the security of your organisation’s information and you think salt is
just something you put on your chips, rather than a method for protecting your
passwords, then our report is for you.
“The report provides an introduction into these
established industry practices that could save you the financial and
reputational costs associated with a serious data
breach.”
The
top eight computer security vulnerabilities covered in the ICO’s report
comprise:
-
a
failure to keep software security up to date;
-
a
lack of protection from SQL injection;
-
the
use of unnecessary services;
-
poor decommissioning of old software and
services;
-
the
insecure storage of passwords;
-
failure to encrypt online
communications;
-
poorly designed networks processing data in
inappropriate areas; and
-
the
continued use of default credentials including passwords.
As
well as the comprehensive report, the ICO’s Simon Rice will be
publishinga series of blogs this week
explaining the key aspects of the ICO’s latest advice in further detail.
His first blog published this morning explains the pressing need for
today’s report and how it was developed (LINK).
Simon will also be taking part in a question and answer
session this Friday to respond to any questions people have about today’s
report. Anyone who would like to send in a question can email the details topressoffice@ico.org.uk or tweet @ICONews by 10.30am on
Thursday 15 May.
Notes to Editors
1.
The Information Commissioner’s Office upholds information rights in the
public interest, promoting openness by public bodies and data privacy for
individuals.
2.
The ICO has specific responsibilities set out in the Data Protection Act 1998,
the Freedom of Information Act 2000, Environmental Information Regulations 2004
and Privacy and Electronic Communications Regulations 2003.
3.
The ICO is on Twitter, Facebook and LinkedIn, and produces a
monthly e-newsletter.
4.
Anyone who processes personal information must comply with eight principles of the Data Protection
Act, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not
kept for longer than is necessary
- Processed in line with your rights
- Secure
- Not
transferred to other countries without adequate protection
5.
If you need more information, please contact the ICO press
office on 0303 123 9070.
Protecting
personal data in online services: learning from the mistakes of
others