New Zealand business computer systems are incredibly secure and practically never get hacked or cracked, according to the latest Computer-world 1000 Survey of top New Zealand companies.
Of the 30 companies questioned, only one admits to having been hacked — and that was a university, where, it says, students performed the dirty deed.
Are these companies being naïve? Are they protecting their public image or are they genuinely sure that no one can get to their data?
Hewlett-Packard senior consultant Harry Page laughs and says: “I think it would be fair to say that anyone who says their systems are totally secure is delusional. But there’s a lot of that attitude out there. We regularly go to visit clients who say they’re okay until they see the results of our tests. Our auditors turn up and hand them a list with all their passwords.”
Computerland service manager Greg Watts offers a similar security consulting service to clients. “We put in firewalls and show them just how many times a day they get hit by potential hackers - you can sit and watch unregistered people trying to get in. It depends on the clients and the information they’re likely to have but most are surprised by the results. Whether they’re malicious or just nosey, people are trying to gain access to your business.”
In a recent Australian survey, 30% of companies admitted they had been the targets of computer crime, though 83% were committed internally. Survey co-ordinator Deloitte Touche Tomatsu admits the real figures are likely to be much higher because companies are reluctant to admit the truth.
The Computerworld survey asked IT managers what their companies do to protect their data. Firewalls, passwords and “no outside access” are the most commonly cited security measures: where companies are not connected to the Internet or anyone outside the company, they feel secure. When they are, they rely on firewalls and passwords to keep out potential invaders. Only six have employed consultants to check out their security levels.
Ashton Project Services’ Jon-Paul Hale says that, although his company has employed consultants, “it was mainly to look at virus protection rather than hacking. Hacking was a side issue - we do most of the security in house and just keep an eye out for anything odd. Including in-house stuff, of course - people looking where they shouldn’t”. Ashton is a Hamilton project management company and manufacturer of packing equipment, “which means we have a lot of information about clients on record so we have to make sure its well protected internally and externally.”
Companies which aren’t open to attack through a Web site should not necessarily feel they are secure, says Watts. “We do a complete audit of their environment and look for potential risk areas. It’s not just external access - what about their server room security? Who has access to patch panels? And of course any time you go onto the Internet and pull down data you’re at risk - you might think you’re downloading straight data but there can be hidden codes giving access to your business. That’s pretty unusual as yet, but it’s a risk people don’t always know about.”
The survey results seem to confirm what information security specialists have been saying: companies don’t speak out about their experiences because to do so would harm their reputation with clients and shareholders. At a recent NZ Inofrmation Security Forum meeting, security expert Allan Watts said a few “sacrificial lambs” were needed to get the subject out in the open. It looks as if no one’s ready to sacrifice themselves yet.
However Shayne Bates, chief executive of security firm SP Bates and founding chairman of the NZISF, says that in most cases companies genuinely don’t know they’ve been targeted. “In our experience, only 10% of incidents are being detected. Whenever we set up a monitoring operation we see incidents happening all the time, and companies haven’t known anything about them.” A recent report from research group Forrester says that computer crimes will rise in future and companies should start protecting themselves now. It recommends upgrading virus software to detect known bad applets, and predicts the emergence of dedicated inspection servers which check the code of everything that arrives, says Bates. “It’s all very well building firewalls and secure sites, but applets are being developed, and sent by email or via Web sites, which can hang systems, steal passwords and reset browser security settings.” Bates’ background is in the navy, where he specialised in electronic warfare, “and what we’re talking about now is that same theory coming to commerce - electronic warfare between companies”.
Currently, however, most hackers are just “bored kids”, says Harry Page. “In the longer term, as things grow, I expect we will see the growth of organised crime. But for now, in New Zealand, it’s not that big a problem.”