TechUK and Cyber Crime Reduction Partnership report finds the same old risks are still causing trouble
New research has discovered that British businesses are still falling prey to the same old vulnerabilities, such as weak password policies, when developing online applications and infrastructure.
Technology body techUK, in association with the Home Office’s Cyber Crime Reduction Partnership, teamed up with PA Consulting to carry out extensive penetration tests over the past 12 months, and was able to discern which ten vulnerabilities are the most common.
Account weaknesses, in particular poor passwords, topped the list, with SSL (Secure Soft Layer) issues and XSS (cross site scripting) vulnerabilities rounding out the top three.
The top also includes a lack of brute force or clickjacking protection and host configuration problems – especially firewall issues and IP leakage.
Also listed are cookies not marked as HTTP only or not marked as secure, which could make them easier for attackers to steal; and directory listing vulnerabilities, via which attackers can discover hidden files or the directory structure of a web page.
The reports mentions figures from the 2014 Information Security Breach Survey (published by BIS), which says that 87 percent of small firms experienced a security breach last year, with 93 percent of large organisations saying that they had also been targeted.
“These threats may not be new, but all still post a real risk to UK web users,” said Gordon Morrison, director of tech for government at techUK. “The good news for businesses and citizens is that there are well established fixes available to protect against these vulnerabilities and avoid falling victim to cyber crime.”
In order to cope with these threats, the report recommends companies adopt a number of best practices to ensure they stay safe. Unsurprisingly, most of this is found in the BSI’s PAS 754, Software Trustworthiness – Governance and Management – Specification, which sets out the processes and procedures which organisations can apply to help them identify and employ trustworthy software.
This includes setting up an appropriate set of governance and management, carrying out proper risk assessment, managing and applying proper controls, and setting up a thorough compliance regime.
Launched in November 2013, TechUK currently represents around 850 companies, employing more than 500,000 people in the UK – around half of all technology sector jobs in the country.
Like Government IT policy? You’ll love our quiz!