Skip to main content

ICO warns on the eight IT security issues that commonly cause data breaches

The Information Commissioner's Office (ICO) has issued a new report on security and data breaches, which highlights the major mistakes organisations are making when it comes to security, so everyone can learn from those errors.

The ICO is, of course, an authority on data breaches, as it's the body tasked with investigating large data spillages, and handing out fines for lax practices which caused such incidents. And the same mistakes are, apparently, being made over and over, so giving them an airing and full discussion is (hopefully) a useful exercise.

The report identifies the eight most common causes of data breaches, which are: Software updates, SQL injection, unnecessary services, decommissioning of software or services, password storage, configuration of SSL and TLS, inappropriate locations for processing data, and credentials being left as defaults.

Some of this is pretty obvious stuff – for example, making sure your software is updated with the latest patches is very important, as these contain security updates to protect against new vulnerabilities. Or not keeping the default passwords for hardware or software, or making sure you don't reuse the same password across multiple accounts – even less tech-savvy home computer users should hopefully be familiar with these sort of concepts now, let alone sizeable businesses.

There are some interesting points made, though, on topics such as encryption and security architecture – you can have a read of the full report here.

Simon Rice, the ICO's Group Manager for Technology, commented: "Our experiences investigating data breaches on a daily basis shows that whilst some organisations are taking IT security seriously, too many are failing at the basics. If you're responsible for the security of your organisation's information and you think salt is just something you put on your chips, rather than a method for protecting your passwords, then our report is for you."

"The report provides an introduction into these established industry practices that could save you the financial and reputational costs associated with a serious data breach."