Eight basic security failings and vulnerabilities are most common in business failures.
According to a report by the Information Commissioner’s Office (ICO), breaches totalling almost a million pounds could have been avoided if the standard industry practices highlighted in today’s report were adopted.
The eight top computer security vulnerabilities were identified as: a failure to keep software security up to date; a lack of protection from SQL injection; the use of unnecessary services; poor decommissioning of old software and services; the insecure storage of passwords; failure to encrypt online communications; poorly designed networks processing data in inappropriate areas; and the continued use of default credentials including passwords.
Simon Rice, group manager for technology at the ICO, commented that while these security issues may seem complex, it is important that organisations of all sizes have a basic understanding of these types of threats and know what action they need to take to make sure their computer systems are keeping customers’ information secure.
“Our experiences investigating data breaches on a daily basis shows that whilst some organisations are taking IT security seriously, too many are failing at the basics,” he said. “If you’re responsible for the security of your organisation’s information and you think salt is just something you put on your chips, rather than a method for protecting your passwords, then our report is for you.”
The basic findings showed that current, traditional security technologies are ineffective, according to Andy Heather, VP EMEA of Voltage Security, said: “These current technologies are not providing the necessary means to actually protect data as the data moves throughout and across an organisation, a situation further exacerbated as companies continue to leverage cloud-based services and mobility, which simply increase the ability to move and access data as never seen before.”
His colleague Brendan Rizzo, technical director EMEA at Voltage Security, said that all too often companies focus on fixing the symptoms rather than addressing the underlying problems. “Each of these top vulnerabilities include either a user exposing sensitive data through bad password practices or systems being left exposed to malicious users who could then infiltrate and elevate their privileges to steal a company’s sensitive data,” he said.
“While attention does need to be paid to each of these threats individually, companies would do well to adopt an approach similar to that used for addressing regulations such as PCI DSS, where a standard first step is to reduce the scope of the overall problem.”
Mark Teolis, general manager of DOSarrest, said that the vulnerabilities “are more common than you think”. Commenting on a fully managed vulnerability testing service that it launched two years ago to its customers, it found that over 70 per cent of all sites tested failed the test. “It revealed many easily avoidable vulnerabilities,” he said. “Website operators need to run comprehensive vulnerability testing at least every three to four months as well as after major changes are made to a site, that can open up holes in a website’s architecture.”
Stephen Midgley, vice president of global marketing at Absolute Software, said: “It’s clear that neither businesses nor employees are taking responsibility for data, and whi
le there are solutions that can offer a quick fix, there needs to be work done on a more granular level to educate the business world on the very real threats and implications of data loss. You can apply whatever technology you want to control data, but ultimately the weakest link may be the psychology and culture of a business.
“The message is this – employees need to be informed about data security and this comes from an understanding throughout the hierarchy of a business. The more a business understands the risks out there, tallied with the potential impact on the company, the easier it will be to work together with employees to create a secure environment.”
Rob Sobers, director at Varonis and TK Keanini, CTO, Lancope, were asked why they felt businesses continued with these basic failings? Sobers said that even though some of the vulnerabilities mentioned are conceptually easy to tackle, as an organisation grows it becomes harder to keep track of what needs protection. Sobers said: “Turning the lock on a door is basic, but if you have hidden or forgotten doors that nobody knows about, you can be left vulnerable to a basic attack.”
Keanini said some folks don’t even cover the basics, which he called “completely irresponsible”. He said: “The problem is also that some folks think this is enough – that once these items are performed that they are safe. It is like diet and fitness, it is a process and a lifestyle, not a onetime event.”