Information Commissioner’s Office says firms could have avoided £1m in fines.
The Information Commissioner’s Office (ICO) has identified eight IT security weaknesses that have led to it handing £1m in fines to organisations that suffered data breaches.
Its report, ‘Protecting personal data in online services‘, cited failures to stick to a regular software update cycle, insecure password storage and the continued use of default log-ins as among the biggest threats to data security.
The privacy watchdog hit Sony with a £250,000 charge for a data leak affecting millions of customers after the firm failed to keep its software up to date.
It also penalised the Ministry of Justice with a £140,000 fine last year for a Cardiff prison data breach that the ICO blamed on a lack of training and sufficient encryption – some of the data was even stored on floppy disks.
The ICO’s group manager for technology, Simon Rice, said: "Our experiences investigating data breaches on a daily basis shows that whilst some organisations are taking IT security seriously, too many are failing at the basics."
"We have already seen widespread concern over the expiry of support for Microsoft XP and the uncovering of the security flaw known as Heartbleed.
"While these security issues may seem complex, it is important that organisations of all sizes have a basic understanding of these types of threats and know what action they need to take to make sure their computer systems are keeping customers’ information secure."
The eight key areas identified are:
– SQL injection
– Unnecessary services
– Decommissioning of software or services
– Password storage
– Configuration of SSL and TLS
– Inappropriate locations for processing data
– Default credentials
Trevor Dearing, EMEA marketing director for network traffic visibility expert Gigamon, welcomed the report’s findings.
He said: "Protecting customer information is now a critical element of any organisation’s business practice.
"The rate at which breaches now seem to occur means that there is absolutely no excuse for any company to ignore these recommendations from the ICO."
He added that visibility of network traffic would be a key component of IT security as network speeds increase to support more and more traffic coming from a variety of devices under BYOD policies.
"While changing passwords is all well and good for short-term fixes, organisations need to make changes to the foundations in order to effectively secure their networks for the future," Dearing claimed.
"A security strategy that is centred on capturing full visibility into traffic flows and which provides security tools with the complete picture will enable a far more robust approach to securing the network. The EU is set to bring in far stricter and more wide-ranging data regulations by the end of 2014, updating guidance from the mid-1990s into laws enforced by fines of up to €100m – up from a UK maximum of £500,000 that the ICO is allowed to levy."
Vinod Bange, a data protection specialist from law firm Taylor-Wessing, told a recent roundtable of IT professionals that the cost of not complying will soon far outweigh the expense of adhering to the new regulations.
He said: "Get your current baseline up to where it should be. If you don’t, it’s going to be an even bigger job."