Top security threats and how to avoid them - a report from the ICO

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

In May, the ICO published a report which identified eight common IT security threats which have commonly arisen during the ICO's investigations into data breaches.

The report specifically looks at the application to the online environment of the seventh data protection principle, being the requirement to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. There are two key points which are worth noting with this principle:

• what is "appropriate" will vary from case to case. For example, a large organisation holding significant amounts of sensitive personal data is expected to take more stringent measures than a smaller organisation only holding a small amount of personal data; and
• data controllers (being persons who determine the purposes for which personal data is processed) must ensure that any third party appointed to process personal data on their behalf complies with the seventh principle too.

In addition to guidance on the use of default access credentials, SQL injections, password storage and encryption, the report comments on and provides practical guidance on how to manage the following threats:

• Software security: failure to apply software updates makes software more vulnerable as time goes on. It's also important to ensure that software remains in technical support. The ICO recommends that organisations define and adhere to a software updates policy for all software which processes personal data.
• Unnecessary services: organisations should consider whether it is necessary to run each service which processes personal data, and whether it's appropriate to enable access to services via the Internet or remotely. Even secure remote access can be problematic - what if credentials are lost or stolen?
• Inappropriate locations for data processing: many data breaches are due to personal data being processed in inappropriate locations (such as locations with poor security, or which are publicly accessible).
• Decommissioning: sometimes problems arise because an organisation fails to decommission software or a service properly. Hackers can still access the data on that software or service, with the risk increasing with time as the organisation no longer monitors the security of that software or service.