Over 87% of Kiwi organisations report having experienced some kind of security incident, according to the 2005 New Zealand Computer Crime and Security Survey — the first survey of its kind in this country.
The survey concludes that the number of security incidents have grown steadily from 1998 to 2004.
At the same time, 62% of respondents said that their IT staff had no security qualifications. Over 80% of respondents said that fewer than 10% of their IT staff had security qualifications.
However, local IT managers say that security qualifications alone are not going to save the day.
“Qualifications on their own are not necessarily the key to dealing with security issues,” says Liz Gosling, director of IT Services at AUT. “You need experienced IT staff who build security in as systems and architectures are developed.”
She adds that a qualification is only valid at the time it is achieved because technology is changing so fast.
“On-going professional development, through professional bodies, is very valuable,” she says.
John Holley, IT manager of the Royal New Zealand Foundation of the Blind, says that security is very important, but qualifications don’t necessarily matter.
“The problems we have faced have actually had to do with personal behaviour,” he says.
“Everyone knows that the biggest problems [for organisations] are [coming] from their own staff, and that’s about behaviour management,” he says.
To protect his organisation from outside attacks, Holley uses automated systems, such as intrusion prevention systems.
The survey found that a quarter of respondents had experienced unauthorised use of their computer system, with 70% of those experiencing up to five incidents from within the organisation, and 60% experiencing up to five incidents from outside.
The survey also showed that in response to attacks, 86% do their best to patch security holes in their networks. Forty-six percent said they would not report intrusions to anyone outside the organisation. Only 15% of respondents reported intrusions to the police.
Incidents most unlikely to be reported to the police include virus infections, followed by insider abuse, unauthorised access and denial of service attacks, according to the survey.
The main reason for not reporting attacks to police was that competitors would use it to their advantage (78%). Sixty-five percent thought civil remedy was the best path to take. Sixty percent cited that the negative publicity would damage the organisation’s reputation, and 58% said they weren’t aware of the interest from the police.
Maarten Kleintjes, head of the New Zealand Police Electronic Crime Laboratory, is not happy with the low numbers reporting electronic crime.
“There are offenders out there that are getting away,” he says.
“And it’s very likely that those offenders will continue their unlawful behaviour,” he says.
Kleintjes is aware that organisations avoid reporting electronic attacks to the police because they don’t want the bad reputation.
Another problem is that if they go to the police, the police might not be interested in dealing with it, Kleintjes says.
“We have a knowledge gap,” he says.
Officers at the local police station might not understand or prioritise
e-crime that is reported to them. However, police are trying to bridge that gap by setting up a high-tech crime reporting centre in partnership with other government agencies such as the Centre for Critical Infrastructure Protection and the Department of Internal Affairs.
The centre’s staff will be IT experts and they will be able to deal with cases in a discreet manner, says Kleintjes. The centre should open by the end of the year.
If organisations don’t report attacks, the police have no chance of knowing the amount of offences that actually happen, he says.
“And, more importantly, offenders will never be held accountable [for the crimes they commit] and they will re-offend somewhere else. That’s a bad thing for society,” he says.
The 2005 New Zealand Computer Crime and Security Survey was conducted by the Security Research Group at the University of Otago, in partnership with the Computer Security Institute, the CCIP and the New Zealand Police.
The results of the survey were based on responses from 218 manufacturing, government, financial and medical organisations, as well as tertiary education providers.