Companies targeted by hackers need to speak out about what has happened to them, says a New Zealand information security specialist.
Companies are suffering IT security breaches all the time but no one wants to talk about it, says Allan Watt, a private specialist in security who spent five years with Auckland Police's criminal intelligence squad.
"Admitting you've had a security breach is really bad for your company image," Watt says. "Investors don't like it, customers don't like it, so companies tend to keep it very quiet." Which, in turn, makes it hard for IT staff to convince management of the need for expensive security.
"Management just say, 'Tell me about someone that's been affected — show me examples,' and the IT or security risk manager is stuck: no one's coming out and saying 'this is what's happening to me'. We need a few sacrificial lambs to bring it into the public eye."
Around 60 IT and security risk managers attended a New Zealand Information Security Forum breakfast meeting on February 4, to hear Watt describe the state of information security law in New Zealand.
Computer-based offending, Watt says, is costing New Zealand business millions of dollars a year and current law is not enough to deal with it when companies do report it.
While specific information technology laws in the US and UK make it illegal for anyone to "trespass" in a computer system, even if they don't change or delete files, New Zealand has no such law and companies are unprotected, he says. Justice Minister Doug Graham has said that he believes New Zealand's current laws are sufficient and can be adapted to cover information but Watt believes more specific legislation is needed.
In the face of such poor legal protection, companies need to take steps to protect themselves, he says.
Up to 80% of computer-based offending is done internally, he says, "so you can build all the firewalls and security you like but it's a waste of time if you don't have a strong acceptable use policy that staff stick to".
Other intruders might include competitors looking for plans or pricing information, disgruntled customers and even foreign governments, as well as hackers and other people just having a look around.
When you do realise there's been a breach, he says, "don't change anything — it's just like the scene of any other crime — there will be evidence to be collected".
Watt says he knows of a company that is likely to take a former employee to court in the near future over the wiping of its database. "That could at least provide a test case for other companies to follow."
Attitudes towards computer crime have to change, says Watt. "There's a glamorised view of hackers and computer crime in general," he says.
"They're seen as pirates, bad boys getting up the nose of big business. But they're criminals, and often very damaging to a company. We need to drag a few into the public eye and say, 'Look. This is what these guys are doing. It's criminal activity and it has to stop."