Last week, we jointly published a white paper with our friends at Vormetric on the legal obligations to encrypt data that exist in various key global economies, including the United States, European Union and Asia-Pac region. Our report was well-timed: very shortly before it went live, the UK's data protection authority (the Information Commissioner's Office or " ICO") published its own report on common security failings for online businesses.
In total, the ICO's report identified 8 common security failures that will be very familiar to any seasoned security professional. Specifically, these were:
- Failure to install software updates across all IT assets;
- SQL injection attacks (easily detectable through regular penetration testing);
- Using unnecessary services, permitting excessive and insufficiently controlled access to data assets;
- Failure to properly decommission no longer needed software or services, resulting in ongoing access to data and security risk;
- Insecure password storage;
- Failure to use or improper configuration of online encryption, like SSL and TLS;
- Inappropriate data processing locations, including failure to segregate data environments; and
- Failure to change default username / password credentials supplied with software components.
What is particularly interesting about the ICO's report is the value it places on the use of encryption and hashing technologies. In this regard:
- While the report is specifically directed at online businesses, the ICO notes that " [t]his in no way reduces the need to consider other security issues such as the importance of encrypting laptop and mobile for instance."
- In relation to the risks of using unnecessary services, the ICO actively discourages use of services like telnet and plain FTP " because information, including usernames and passwords, is sent unencrypted." When accessing remote services, the ICO recommends that access should be " via an encrypted method" and that" [a] more general solution … would be to use a Virtual Private Network (VPN), which would allow remote users to be authenticated and also ensure that data is encrypted in transit."
- In relation to the risks of insecure password storage, the ICO " rules out the storage of passwords in plain text because these are immediately readable by a system administrator or casual observer" before recommending the use of one-way hashing and salting algorithms, noting that " if done appropriately, hashing makes password cracking attacks extremely time-consuming and therefore impractical".
- Finally, in relation to the risks of failing to use or improperly configuring online encryption, the ICO advises business that " You should have a clear concept of which information needs to be encrypted and which does not, and apply the use of SSL or TLS as appropriate. To reduce complexity, you may also which to consider using SSL or TLS throughout your entire domain."
In short, encryption is a more-or-less pervasive theme throughout the entirety of the ICO's report. This chimes nicely with the analysis our own report provided, in which we argued that there is increasingly a worldwide legal and regulatory consensus that businesses must deploy encryption to protect their confidential and personal data assets.
But we'll let the ICO have the final word on this. As Simon Rice, Group Manager, Technology at the ICO notes in his blog "Why encryption is important to data security": " the time and cost of proper encryption is put into sharp perspective by a quick glance over the penalties issued in three recent cases where encryption wasn’t used (£700,000 in total). The price of getting it wrong could therefore extend well beyond upsetting people…"
That was in August 2013, by the way, and there's been in excess of another £400,000 of fines since then relating to encryption failures in the UK alone!
Phil Lee is a partner in the Privacy and Information Law Group at Fieldfisher and leads its US Office in Palo Alto California. You can e-mail him at email@example.com or follow him on Twitter @euprivacylawyer.