New Zealand’s IT management practices are inadequate when it comes to protecting forensic evidence for use in court, says Otago University’s annual New Zealand Computer Crime and Security Survey.
The survey, based on responses from 113 IT security professionals, also found significant differences between the New Zealand information security landscape and that of other countries, such as the United States and Australia. Only 22% of respondents, for example, reported unauthorised use, compared with 52% of respondents in the US. Two-thirds of local organisations invest less than 5% of their IT budget in security, whereas Australian research has found this level of investment to be insufficient. This is echoed by local respondents: more than two-thirds believe certain aspects of information security in their organisations are not adequately funded.
The survey found incident numbers had declined, but warned that this is no reason for complacency. Incidents were still experienced by 87% of those surveyed. The average cost of a security incident in 2006 was $13,000, well down on the $42,000 reported in 2005.
Rupert Dodds, KPMG audit and risk-management partner, says the survey does not highlight any new security risks.
“Businesses know what the security risks and issues are, and we know how to fix them. So why then is there still a major problem, with 87% of survey respondents experiencing an incident?” he asks.
Dodds says there is still inadequate discussion about security issues within organisations in terms of business risk, and this could help explain the under-investment.
“Many businesses see security as a technical issue, whereas security is, foremost, a people and process issue,” he says.
He is also concerned at the lack of qualified or certified security professionals in local organisations.
Dodds says new data-breach guidelines, issued by the Privacy Commissioner, will result in an increase in incident reporting.
While 85% of the organisations surveyed monitor their systems for unauthorised use, many did not report transgressions to police. The most common reasons given for this were that they were unaware of the police’s interest (32%); concerned about negative publicity (24%); or pursued a civil remedy instead (20%).
The research, conducted in association with the Police, the Computer Security Institute and the Government Communications Security Bureau’s own Centre for Critical Infrastructure Protection, found total information security investment per employee to be $203.
The technologies most commonly employed by Kiwi organisations include email monitoring (84%); web-activity monitoring (79%); and penetration-testing (72%). Over 60% use security audits to ensure system security.
Respondents’ most common job title by far was IT manager – at 60% – followed by CIO and “Other”, both on 11%. Systems administrator was next, at 10%, followed by security officer, at 4%. This indicates that many organisations have yet to employ a dedicated information security officer.
The most common types of incidents included viruses and worms (59%); laptop or mobile hardware theft (56%); and insider abuse of net access or email (54%). Denial of service attacks affected 16% of organisations surveyed; unauthorised access affected 12%; and telecommunications fraud affected 8%.
While concern about a skills shortage evident in the survey, reformed hackers need not apply: 63% of respondents would not employ one.