Despite growing investment in security measures and infrastructure, the number of cyber-attacks and their cost keeps rising.
However, spending in the area is still too low, say some IS security professionals, and technical and security policy basics are being neglected. According to Rupert Dodds, president of the Wellington branch of ISACA, a professional body for information systems auditors, network security is too often not a business priority.
A regional survey released last week by IDC found that for 38.5% of respondents the volume of IT and internet threats within their organisations had increased. Despite 97% having IT security in place, for half, the volume of threats had stayed the same. About 60% felt that viruses were the main threat, 22% thought hackers were. Some 26% of enterprises said that increasing internet use drives their security spending — increasingly on options like disaster recovery and encryption rather than simple antivirus tools, says IDC — while 7.1% of respondents cited e-commerce initiatives as the key factor.
More than half the Asia-Pacific region’s CIO’s pumped new investment into security solutions, according to IDC’s annual Continuum survey of IT chiefs, released in January.
IDC expects “defensive” investment in security, infrastructure and back-office apps to continue this year.
Meanwhile, a thorough computer security report of our nearest neighbour says despite increased spending in the last 12 months by almost 70% of 214 Australian public and private sector organisations, the number of attacks is rising and the impact on business is becoming more costly and damaging.
More than 40% of respondents to the 2003 Australian Computer Crime and Security Survey — published by Australia’s national computer emergency response team (AusCert) with the help of Deloitte and several federal bodies — experienced one or more computer attacks which harmed confidentiality, integrity or availability of network data systems in the past 12 months. There is a continuing trend towards externally sourced attacks and average losses were estimated at $A93,657 compared to $A77,084 in the 2002 survey.
Particularly disturbing is the fact that business is less likely to report incidents to police compared to earlier surveys.
The majority of Australian firms surveyed have increased the rigour of their network after a breach or heightened security concerns. This tallies with other reports, such as one done by IDC of 883 US firms, which showed breaches and increased internet use were most frequently cited as being behind decisions to deploy new security measures.
ISACA’s Dodds believes the findings of the AusCert study are roughly applicable to this country and that IT security investment in this country is too low. One issue is that digital assets are not as easily tangible to company executives as physical ones.
Reading into the figures, Dodds says external breaches will include viruses, whose financial impact is usually smaller and mainly impacts company and staff downtime.
Some 80% of AusCert survey respondents were infected with a virus, worm or trojan and 57% suffered financial loss as a result, despite high use of antivirus software and control policies. Dodds says this suggests how ineffective antivirus software can be now that update definitions arrive almost simultaneously with the virus itself. Likewise, over 95% of respondents employ a firewall, so high levels of successful attacks indicate poor configuration, he says.
Dodds suggests hesitation about calling police could reflect several perceptions: few successful prosecutions in the area, worries about being caught up in investigations, and potentially signalling to the market your security weakness.
- More than 90% of attacks that caused damage and harmed data integrity were externally sourced
- Only 11% of respondents felt they were handling all computer security issues well
- Cost of average computer crime, system abuse or attack up 18% on 2002 figures
- Financial fraud, laptop theft and virus infections are largest sources of loss to computer crime
- Some 67% of organisations have upped network security expenditure due to security incidents or concerns