14 DAY TRIAL // The United Kingdom’s Information Commissioner’s Office has published a new report highlighting the top vulnerabilities that led to data breaches involving personal information. The report is 46 pages long, and it’s called “Protecting personal data in online services: learning from the mistakes of others.”
The list of vulnerabilities includes the failure to keep software updated, SQL Injection flaws, the use of unnecessary services, poor decommissioning of old software and services, insecure storage of passwords, failure to encrypt communications, the use of default credentials, and inappropriate locations for processing data.
According to the ICO, many data breaches could have been avoided if organizations had paid better attention to IT security practices. Some organizations, like Sony Computer Entertainment Europe and the British Pregnancy Advice Service, were fined hundreds of thousands of pounds for failing to protect their customers’ private data.
The report not only summarizes the top security issues, but it also provides recommendations for remediation and good practices.
“In just the past couple of months we have already seen widespread concern over the expiry of support for Microsoft XP and the uncovering of the security flaw known as Heartbleed,” notes the ICO’s Group Manager for Technology, Simon Rice.
“While these security issues may seem complex, it is important that organisations of all sizes have a basic understanding of these types of threats and know what action they need to take to make sure their computer systems are keeping customers’ information secure,” Rice adds.
“Our experiences investigating data breaches on a daily basis shows that whilst some organisations are taking IT security seriously, too many are failing at the basics. If you’re responsible for the security of your organisation’s information and you think salt is just something you put on your chips, rather than a method for protecting your passwords, then our report is for you,” he continues.
“The report provides an introduction into these established industry practices that could save you the financial and reputational costs associated with a serious data breach.”
The complete report is available on the ICO’s website. The paper is aimed at those responsible with ensuring compliance with Britain’s Data Protection Act and individuals who manage computing infrastructure.
While the report is not aimed specifically at experienced security professionals, it might be useful for this category as well since experts can learn from the mistakes of others.