Organizations fail to address the security basics
The UK Information Commissioner's Office has published a new report highlighting the eight most common vulnerabilities that have led to organizations failing to keep data secure.
The threats were identified as part of the ICO's investigations into data breaches caused by poor security practices. Many of these have led to financial penalties being imposed on the organizations involved.
These include the £250,000 fine issued to Sony Computer Entertainment Europe after the company failed to keep its software up to date, leading to the details of millions of customers being compromised during a targeted attack.
The top eight vulnerabilities picked out by the report are:
* Failure to keep software security up to date
* Lack of protection from SQL injection
* Use of unnecessary services
* Poor decommissioning of old software and services
* Insecure storage of passwords
* Failure to encrypt online communications
* Poorly designed networks processing data in inappropriate areas
* The continued use of default credentials including passwords
ICO's Group Manager for Technology, Simon Rice, says, "In just the past couple of months we have already seen widespread concern over the expiry of support for Microsoft XP and the uncovering of the security flaw known as Heartbleed. While these security issues may seem complex, it is important that organizations of all sizes have a basic understanding of these types of threats and know what action they need to take to make sure their computer systems are keeping customers' information secure".
Rice highlights the fact that many organizations are not addressing the basics of IT security, "Our experiences investigating data breaches on a daily basis shows that whilst some organizations are taking IT security seriously, too many are failing at the basics. If you're responsible for the security of your organization’s information and you think salt is just something you put on your chips, rather than a method for protecting your passwords, then our report is for you".
The full report, including good practice guidance on avoiding problems, can be downloaded as a PDF from the ICO website.
Rice will also be publishing a series of blogs over the next few days looking at the ICO's findings and recommendations in more detail.