Who: Information Commissioner’s Office
When: 12 May 2014
Law stated as at: 3 June 2014
The Information Commissioner’s Office (ICO) has published a security report on the most significant online threats to IT data security in the workplace, and the steps which organisations should take to keep personal information secure.
According to the ICO’s Group Manager for Technology:
“Whilst some organisations are taking IT security seriously, too many are failing at the basics”.
ICO investigations into data breaches have identified eight key areas of computer and IT security vulnerabilities which have led to organisations failing to keep people’s information secure.
Many incidents have resulted in security breaches and the imposition of significant penalties by the ICO. Monetary penalty notices issued recently by the ICO have been between £50,000 and £200,000, as high profile names including the Ministry of Justice, Kent Police, British Pregnancy Advisory Service, Bank of Scotland Plc, Sony Computer Entertainment Europe Limited and numerous city and borough councils, have discovered to their cost and public embarrassment.
The threats identified and the resulting Data Protection Act 1998 (DPA) breaches are not novel ones – rather they are persistent features of the ICO’s casework.
The eight principal areas of online security upon which the ICO focuses are:
1. Failure to keep software security up to date – software which is not updated or ‘patched’ becomes progressively more vulnerable to attack. This concern is particularly topical as Microsoft recently ceased to provide support for Microsoft XP (from 8 April 2014) and a significant security flaw called ‘Heartbleed’ was identified. The ICO recommends that all organisations have a software updates policy in place for all software used to process personal data.
2. Lack of protection from SQL injection – SQL is a special purpose programming language designed for managing data. Injections most commonly occur on a publicly available website that uses databases to display information. They allow an attacker to inject incorrect instructions or coding errors directly into a database. SQL injections remain one of the most ubiquitous forms of online attack and costs are high both in terms of damage done and of rectification. SQL injection vulnerabilities can often be detected automatically by hackers using commonly available tools. The ICO recommends that organisations conduct vulnerability assessments and penetration testing, monitor and act upon security advisories, and rectify coding flaws.
3. Use of unnecessary services – reducing the number of services which are publicly accessible, as well as those not actively used, can limit an organisation’s exposure to attack. The ICO recommends conducting an audit and maintaining a full list of services which are available. Temporary services should be disabled when no longer needed.
4. Poor decommissioning of old software and services – if a service is not fully decommissioned, an organisation may be vulnerable to an attack via a route which it was not aware was still in existence.
5. Insecure passwords and their storage – according to the ICO, poor password handling often only comes to light after a data breach has occurred. User credentials are both vulnerable to attackers and especially valuable to them, since they are often re-used across multiple services. Obtaining a password via a relatively vulnerable service may enable access, by use of the same password, to otherwise more secure parts of the system. Organisations must have a policy ensuring that all members are compelled to use strong password combinations. Technical methods of further encrypting stored password data – like ‘hashing’ and ‘salting’ – increase the time and effort needed to mount an attack.
6. Failure to encrypt online communications – the ICO recommends that all personal data and sensitive information should only be transferred across the internet using encryption schemes such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS) in order to ensure secure communications across the internet. In addition, the encryption must involve appropriate identity assurance in the form of digital certification.
7. Processing data in inappropriate areas and poorly designed networks – data breaches investigated by the ICO often involve poor security and network architecture where it is unclear how personal data should be processed, or incorrect or inadvertent storage of personal data in publicly accessible locations. Organisations must have policies in place for the processing of personal data and, where content is exposed on web servers, ensure that access restrictions are robust. The ICO recommends (1) the segregation of production and testing environments and segmentation of an organisation’s network where appropriate, (2) keeping an inventory of systems and where they are located within network architecture and (3) using both on-site and off-site backups. This will ensure business continuity and that an organisation’s production environment is not compromised, but also that personal data is not put at risk on a testing environment.
8. The continued use of default credentials (including passwords) – software is installed with default access credentials. The ICO recommends changing these default credentials as soon as possible before the software is put into use by an organisation.
Why this matters:
This Report from the ICO serves two purposes. It provides guidance to assist organisations who process personal data in their online services. It is also a warning to them that they cannot be complacent or cut corners when it comes to data security.
Anyone who processes personal information must comply with the eight principles of the Data Protection Act.
The seventh data protection principle states that:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
The ICO stresses that an organisation cannot assume that implementation of each recommendation in its report will necessarily be enough. Every organisation must undertake a risk assessment exercise in order to ensure the protection of personal data which they process.
The ICO has recently demonstrated that it is willing to issue significant penalties for companies who fail to meet its standards when it comes to the protection of personal data. It has the power to issue monetary penalty notices of up to £500,000 for serious breaches of both the Data Protection Act and of the Privacy and Electronic Communications Regulations. These notices are available to the public, naming and shaming those organisations which the ICO feels has taken insufficient steps to protect their personal data.
For the full report go to security report.