Interviews

Data security report

by Mark Rowe

Eight of the most common IT security vulnerabilities that have resulted in organisations failing to keep people’s information secure are featured in a new security report by the watchdog, the Information Commissioner’s Office (ICO).

The flaws were identified during the ICO’s investigations into data breaches caused by poor IT security practices. Many of these incidents have led to what the Cheshire-based ICO calls serious security breaches resulting in the ICO issuing fines totalling almost a million pounds. The breaches could have been avoided if the standard industry practices were adopted, according to the watchdog.

They include the £200,000 penalty issued to the British Pregnancy Advice Service after the details of service users were compromised due to the insecure collection and storage of the information on their website, and the £250,000 fine issued to Sony Computer Entertainment Europe after the company failed to keep its software up to date, leading to the details of millions of customers being compromised during a targeted attack.

ICO’s Group Manager for Technology, Simon Rice, said: “In just the past couple of months we have already seen widespread concern over the expiry of support for Microsoft XP and the uncovering of the security flaw known as Heartbleed. While these security issues may seem complex, it is important that organisations of all sizes have a basic understanding of these types of threats and know what action they need to take to make sure their computer systems are keeping customers’ information secure.

“Our experiences investigating data breaches on a daily basis shows that whilst some organisations are taking IT security seriously, too many are failing at the basics. If you’re responsible for the security of your organisation’s information and you think salt is just something you put on your chips, rather than a method for protecting your passwords, then our report is for you.

“The report provides an introduction into these established industry practices that could save you the financial and reputational costs associated with a serious data breach.”

The top eight computer security vulnerabilities covered in the ICO’s report comprise:

a failure to keep software security up to date;
a lack of protection from SQL injection;
the use of unnecessary services;
poor decommissioning of old software and services;
the insecure storage of passwords;
failure to encrypt online communications;
poorly designed networks processing data in inappropriate areas; and
the continued use of default credentials including passwords.

For the 46-page report visit – http://ico.org.uk/news/latest_news/2014/~/media/documents/library/Data_Protection/Research_and_reports/protecting-personal-data-in-online-services-learning-from-the-mistakes-of-others.pdf

See also the ICO blog – http://iconewsblog.wordpress.com. Do you know your SSL from your TLS? Or what SQL injection is? The chances are that some of you won’t, but increasingly it’s these types of security issues that data protection officers and senior managers must have some understanding of in order to keep their systems secure, wrties Simon Rice of the ICO.

Comments

Trevor Dearing, EMEA marketing director for a network traffic visibility company Gigamon, commented: “Protecting customer information is now a critical element of any organisation’s business practice. The rate at which breaches now seem to occur means that there is absolutely no excuse for any company to ignore these recommendations from the ICO. While most businesses are aware of the need to regularly change passwords – even if they don’t carry it out – it is interesting and encouraging to see that the ICO has included advice on practices that are less frequently discussed, such as the design of networks.

“As network speeds increase to accommodate the rising tide of traffic, organisations desperately need to look at their network architectures. Effectively securing all information held within an IT estate requires pervasive and efficient visibility of network traffic and communications, but the approach taken by many is based upon legacy technologies and thinking, leaving networks vulnerable to cyber threats. Instead, organisations must implement tools that enhance visibility into the network and use flow mapping technologies, which ensure that network tools only see the information they are best equipped – or authorised – to deal with.

“While changing passwords is all well and good for short-term fixes, organisations need to make changes to the foundations in order to effectively secure their networks for the future. A security strategy that is centred on capturing full visibility into traffic flows and which provides security tools with the complete picture will enable a far more robust approach to securing the network.”

And Stephen Midgley, Vice President, Global Marketing, Absolute Software, said: “Data is the very fabric of business, but it is so prevalent and intangible that it is always going to be hard to manage and track in order to secure every bit and byte. The consumerisation of IT and the mobile workforce revolution have added to the numerous ways data leaks occur, ranging from leaving an unlocked device on a train, through to misunderstanding how to use an app.

“So in this landscape, one would expect businesses to be taking the threat seriously. However, our recent Mobile Enterprise Risk research, in which we surveyed employees of enterprise businesses, showed that a third describe the security culture of their workplace as moderate or lax, only 63 per cent of employees say there is a formal procedure in place when a device is lost, and 30pc say there are no personal penalties for losing a device. Added to this, statistics showed that 23pc of employees claim that data security is not their responsibility, while 15pc admitted to having lost a smartphone or tablet, rising to 25pc in younger employees aged between 18 and 34.

“It’s clear that neither businesses nor employees are taking responsibility for data, and while there are solutions that can offer a quick fix, there needs to be work done on a more granular level to educate the business world on the very real threats and implications of data loss. You can apply whatever technology you want to control data, but ultimately the weakest link may be the psychology and culture of a business. The message is this – employees need to be informed about data security and this comes from an understanding throughout the hierarchy of a business. The more a business understands the risks out there, tallied with the potential impact on the company, the easier it will be to work together with employees to create a secure environment.”

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing