ICO: Companies ‘failing at basics’ may end up paying thousands in penalty

By  | 

Companies running Windows XP could face penalties up to £500,000, in case of any security breach, warns UK’s privacy watchdog.

Information Commissioner’s Office (ICO) has released a report detailing the common security failings, with out-of-date software, lack of encryption, SQL injection vulnerabilities, listed among the top 8 data security lapses encountered during investigations.

Out-of-date software is said to be one of the most common IT security vulnerabilities, which often result in compromises of users’ information.

Other security lapses include the use of unnecessary services, the insecure storage of passwords, decommissioning of old software and services, poorly designed networks processing data and the continued use of default credentials including passwords.

“In just the past couple of months we have already seen widespread concern over the expiry of support for Microsoft XP and the uncovering of the security flaw known as Heartbleed. While these security issues may seem complex, it is important that organisations of all sizes have a basic understanding of these types of threats and know what action they need to take to make sure their computer systems are keeping customers’ information secure,” ICO’s group manager for technology, Simon Rice, said.

“Our experiences investigating data breaches on a daily basis shows that whilst some organisations are taking IT security seriously, too many are failing at the basics.”

The report noted that these flaws have even led to serious security breaches resulting in the UK’s privacy watchdog issuing monetary penalties amounting to around £1 million.

Rice said that the issues listed in the report seem very obvious, but are actually overlooked very often. He added that organisations have tackled even complex issues but failed or missed other key areas that can be easily dealt with.

The report also points at some good practices for avoiding any kind of security issues such as updating regularly and as early as possible when there is no compelling reason to delay.

Some of the recent fines issued by the ICO include £200,000 penalty levied against British Pregnancy Advice Service, after the security breach compromising details of users, and Sony Computer Entertainment Europe was charged with a £250,000 fine for failing to keep the software up-to-date.