The Information Commissioner’s Office (ICO) has identified eight common security vulnerabilities following investigations into data breaches caused by poor ICT practice.

A report published yesterday said that too many organisations are failing to implement basic security measures.

It identifies a series of established industry practices aimed at preventing financial and reputational costs which can result from serious data breaches.

ICO group manager for technology, Simon Rice, said: “It is important that organisations of all sizes have a basic understanding of these types of threats and know what action they need to take to make sure their computer systems are keeping customers’ information secure. 

“If you’re responsible for the security of your organisation’s information and you think salt is just something you put on your chips, rather than a method for protecting your passwords, then our report is for you.”

The main vulnerabilities identified by the ICO were:

• a failure to keep software security up to date;
• a lack of protection from SQL injection;
• the use of unnecessary services;
• poor decommissioning of old software and services;
• the insecure storage of passwords;
• failure to encrypt online communications;
• poorly designed networks processing data in inappropriate areas; 
• the continued use of default credentials including passwords. 

The ICO said that incidents stemming from these areas have led to serious security breaches resulting in the ICO issuing penalties totalling almost a million pounds.