ICO report: Too many companies fail 'security basics'

The Information Commissioner's Office (ICO) has highlighted eight of the most common IT security vulnerabilities in a new report which reveals that businesses are often failing at 'basic' security measures.

ICO report: Too many companies fail 'security basics'
ICO report: Too many companies fail 'security basics'

Citing recent high-profile data breaches suffered by the British Pregnancy Advice Service (fined £200,000 by the watchdog) and Sony Computer Entertainment Europe (£250,000 fine), the ICO listed the most common security flaws that led to security breaches, and monetary penalties.

The top eight IT security vulnerabilities were as follows:

  • A failure to keep software security up to date
  • A lack of protection from SQL injection
  • The use of unnecessary services
  • Poor decommissioning of old software and services
  • The insecure storage of passwords
  • Failure to encrypt online communications
  • Poorly designed networks processing data in inappropriate areas
  • The continued use of default credentials including passwords

With many of these hinging on poor implementation or – worse still – user awareness, ICO group manager for technology, Simon Rice, said that it's often the basics that companies are getting wrong.

“In just the past couple of months we have already seen widespread concern over the expiry of support for Microsoft XP and the uncovering of the security flaw known as Heartbleed,” said Rice in a statement.

“While these security issues may seem complex, it is important that organisations of all sizes have a basic understanding of these types of threats and know what action they need to take to make sure their computer systems are keeping customers' information secure.

“Our experiences investigating data breaches on a daily basis shows that whilst some organisations are taking IT security seriously, too many are failing at the basics. If you're responsible for the security of your organisation's information and you think salt is just something you put on your chips, rather than a method for protecting your passwords, then our report is for you.

“The report provides an introduction into these established industry practices that could save you the financial and reputational costs associated with a serious data breach.”

MWR InfoSecurity security consultant Rorie Hood wasn't surprised with the finding that firms fall behind on implementing updates.

"There is no single reason why companies fail to keep software up to date," he told SCMagazineUK.com. "Common reasons include business critical systems being deemed too important to bring down for patching, or that software maintenance gets pushed back to make way for other tasks deemed more important, which can often be the result of an under resourced IT team or unrealistic management expectations."

Professor Peter Sommer, a forensics professional and visiting professor at de Montfort University, meanwhile, agreed with Rice's comments, suggesting that hackers are sometimes made to look better than they really are.

"Newsworthy, exotic attacks by the elite hackers are, most failures are down to not addressing simple routine security issues," he told SCMagazineUK.com, adding that ICO could take a more pro-active stance to helping companies if they had more resources and statutory powers.

A number of other InfoSec professionals were also dismayed by the report findings, with Charles Sweeney, CEO of Scottish email and web filtering firm Bloxx, adding that a number of companies make mistakes when implementing security solutions.

"What strikes me about the report is that companies are falling victim to the same mistakes time and time again when it comes to data losses,” he said in an email to SCMagazineUK.com.

“A lot of organisations have tried to learn lessons from the past and implemented a 'joined up 360 degree' approach to security, but in reality what they have are lots of point security solutions that are difficult to configure and may not integrate easily. 

"This creates blind spots that make it exceptionally difficult to identify, monitor and manage vulnerabilities across the enterprise. It's the reason that old COBOL applications from twenty years ago can still be exploited by hackers today as a way of gaining access to the corporate infrastructure and why lost laptops 'secured' with weak passwords still strike the fear of God into any IT director when they get left on trains."

"Fragmented security is a big Achilles Heel for all organisations and the answer isn't to go on a spending spree on the latest and greatest technologies, but to understand where your organisation is vulnerable and invest to plug those gaps. 

Ben Johnson, chief security evangelist, for Bit9 and Carbon Black, said that the report showed, yet again, the disconnect between security teams and the board. 

"Enterprises these days are in a very tough spot,” Johnson said in an email to SCMagazineUK.com. “The board level often sees security spending as an unnecessary cost or a hindrance to day-to-day operations.” 

He added: “”Legacy applications require a particular version of Windows or Java or related technologies where they are out-dated and very vulnerable.  Whenever there is a case of just needing to “get stuff done”, security takes a back seat.  The IT teams are often overwhelmed and cannot even properly say how many hardware assets they are responsible for.  And finally, the users themselves are lured by phishing attacks, they bring laptops home and install un-trusted software, or they visit suspicious sites. 

"We can certainly blame high-level officers and board members, or lazy IT admins, or users, but in reality the issue is that there are so many deficiencies in the overall security ecosystem and culture at enterprises that every enterprise can and will be breached in their current states.”