Scroll down

The most common data security weaknesses and how you can avoid them

The Information Commissioner’s Office published a report in June 2014 entitled “Learning from the Mistakes of Others”, listing the most common security weaknesses identified during their investigations of data breaches and how these can be avoided.

The Information Commissioner’s Office issued fines for many of these incidents, but the offences could have been avoided if the industry standards identified in the report were adopted.

Written by Kate Slater on 6th April 2015

The most common data security weaknesses and how you can avoid them

The Information Commissioner’s Office published a report in June 2014 entitled "Learning from the Mistakes of Others”, listing the most common security weaknesses identified during their investigations of data breaches and how these can be avoided.

The Information Commissioner’s Office issued fines for many of these incidents, but the offences could have been avoided if the industry standards identified in the report were adopted.

Although the report has no legal effect, if an organisation suffers a data breach, non-compliance might be considered by the Information Commissioner’s Office when deciding on sanctions.

Companies would be well advised, therefore, to ensure that those responsible for their IT security and data protection have considered the guidance in the report.

1. Software Security Updates 
Attackers search for vulnerable software to attack. You should have a software update policy in place for all equipment, including laptops, tablets and other mobile devices. You should only use software for which updates are still provided.

 

2. Structured Query Language Injection
Structured Query Language is a type of programming language designed for database driven software. A Structured Query Language Injection is a hacking technique that exploits loopholes in the programming code.

To avoid this hacking you should introduce regular independent security testing to identify programming problems, including Structured Query Language Injection issues.

3. Configuration of Secure Sockets Layer or Transport Layer Security
Ensure that sensitive information and personal data are transferred using encryption schemes used for ensuring secure communications across the internet such as Secure Sockets Layer, or Transport Layer Security.

4. Inappropriate Locations for Data Processing
Ensure that you have a policy for how, when and where personal data will be processed and stored. Apply access restrictions and make sure that your network has regular back-up and that your business continuity plan is in place.

5. Unnecessary Services
Only run network services that are absolutely necessary and ensure that services intended to be used on local networks only are not available to the internet. This will reduce the number of ways an attacker could compromise network systems.

6. Decommissioning of Software or Services
When obsolete, or temporary hardware, software or networked services such as a website, or file server are no longer required, you must decommission them and check that the process of decommissioning has been effective.

7. Change Default Access Credentials
Hardware and software may be supplied with default credentials, such as standard usernames and passwords, ensure that these are changed as soon as possible upon delivery.

8. Password Storage
Weak passwords such as 123456 are an obvious, but sadly common source of system vulnerability and users should be instructed to choose strong passwords ie long passwords with a wide range of characters.
The report also explains "Hashing” and "Salting” techniques which increase the security of stored passwords.

Protecting your technology business
With 30 years' experience of working with ICT clients, here at Franklands we know that expanding and innovative businesses need comprehensive cover across all business operations to ensure their future and avoid these most common types of data security weaknesses.

In our experience far too many ICT companies are buying entry level office insurance policies which do not provide adequate cover for the significant risks they face.

To find out what you can do to improve your insurance policies, download now our free guide Protecting Your Technology Business.

See other blogs related to: Insurance

Quality insurance, expert advice - call us for your FREE no obligation review on

Tel: 01332 545720