Organisations are risking breaches of data by not adhering to standard industry security practices according to a new report by the UK's Information Commissioner's Office (ICO).

According to the ICO, many such incidents have been serious breaches that have resulted in fines being issued to the organisations at fault.

The ICO is the an independent body with the remit of upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Its responsibilities are set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

Protecting personal data in online services: learning from the mistakes of others outlines eight security issues to do with data protection that frequently arise in organisations. It also provides the best practice approach for securing against such issues.

Vulnerabilities

The top eight security vulnerabilities at organisations outlined by the ICO report are:

  • Failure to keep software security up to date
  • Lack of protection from SQL injection
  • Use of unnecessary services
  • Poor decommissioning of old software and services
  • Insecure storage of passwords
  • Failure to encrypt online communications
  • Poorly designed networks processing data in inappropriate areas
  • Continued use of default credentials including passwords

"While these security issues may seem complex, it is important that organisations of all sizes have a basic understanding of these types of threats and know what action they need to take to make sure their computer systems are keeping customers' information secure," said the ICO's Group Manager for Technology Simon Rice. "Our experiences investigating data breaches on a daily basis shows that whilst some organisations are taking IT security seriously, too many are failing at the basics."