Organisations "failing at the basics" of IT security, warns ICO
'Protecting personal data in online services: learning from the mistakes of others' sets out best practice for protecting data
Failure to encrypt data, the use of out of date software and poorly designed networks are among what the Information Commissioner's Office (ICO) deems to be the top eight data security lapses it has encountered during its investigations.
The errors, listed in a new ICO report titled Protecting personal data in online services: learning from the mistakes of others, are drawn from research into poor security practices. Indeed, many of the mistakes outlined have led to the ICO issuing fines to organisation for falling foul of the Data Protection Act.
A lack of protection from SQL injection, the use of unnecessary services, poor decommissioning of old software and services, the continued use of default login credentials and the poor storage of passwords are also listed as common weaknesses in organisations' data defences.
The report also offers advice on good practice for avoiding these security issues. Much of the advice - such as "When there is no compelling reason to delay, you should apply security updates as soon as is practical" - seems obvious. However, in the wake of Heartbleed and the loss of Windows XP support, the ICO believes it's important to make organisations aware of security issues and how they should fix them.
"In just the past couple of months we have already seen widespread concern over the expiry of support for Microsoft XP and the uncovering of the security flaw known as Heartbleed," said ICO Group Manager for Technology, Simon Rice.
"While these security issues may seem complex, it is important that organisations of all sizes have a basic understanding of these types of threats and know what action they need to take to make sure their computer systems are keeping customers' information secure."
Rice suggested that while many organisations are taking IT security seriously, there are many which are "failing at the basics", and it's those which need to take heed of the report.
"If you're responsible for the security of your organisation's information and you think salt is just something you put on your chips, rather than a method for protecting your passwords, then our report is for you.
"The report provides an introduction into these established industry practices that could save you the financial and reputational costs associated with a serious data breach," Rice added.
It also warns that its top eight IT data threats aren't the only information security issues which need to be addressed.
"As technology advances, it is highly likely that new or different threats will be commonly seen in the ICO caseload," says the report.
"This document should not be considered an exhaustive or complete list of potential threats. Any organisation operating an IT environments must ensure that appropriate technical and organisational measures are in place to protect personal data.
"These must be monitored and maintained over time to remain effective," it concludes.
Computing's Enterprise Security and Risk Mangement Summit will take place on July 1st 2014 at the Tower Bridge Hilton in London. Attendance is free for end user delegates, and sponsorship packages are still available.
The video below reveals Computing's top takeaways from this year's Infosec, an annual security conference which takes place in London.