The Australian Government’s first Cyber Crime and Security Report was launched this month, with statistics showing that cyber crime has become ever more targeted and much more efficient. UQ Business School’s Dr Peter Clutterbuck suggests there is still plenty that businesses can do to protect their data integrity.
‘Sophisticated ransomware attacks’, ‘threats to delete crucial data unless money is paid’, ‘15 years of critical files lost in serious compromise’.
These dramatic headlines followed the release this February of the 2012 national Cyber Crime and Security Survey, by Attorney-General Mark Dreyfus. The survey polled 255 Australian firms in sectors crucial to Australia’s national security, including energy, defence, communications, banking and water.
One in five businesses reported that they had been the target of cyber attacks, but even this isn’t the complete picture. An uncounted number of businesses are likely to be unaware that they have been hit at all. And, the reports suggests, almost half of businesses failed to report cyber attacks, and in 20 per cent of cases it was the fear of negative publicity that them quiet.
DR PETER CLUTTERBUCK
An expert on internet security, Peter has held management positions in the public and private sectors. He advises organisations on network security and is currently carrying out research into security auditing.
UQ Business School’s Dr Peter Clutterbuck sees the survey as a useful tool in building a picture of underlying cyber threat trends and in revealing gaps in the systems and legislation that are designed to protect business and infrastructure as more and more activities migrate online.
However, Clutterbuck believes that some of the more dramatic headlines hide important insights and act almost as a smokescreen to business accountability.
“For example,” says Dr Clutterbuck, “the figures show a high level of deployment of firewalls, anti-spam and anti-virus software. They’re in 90 per cent of companies surveyed. That’s excellent. But this doesn’t tell the whole story. Are the security measures appropriate, updated and correctly configured?”
It’s a valid question. Data on the number of qualified IT security experts employed by the businesses surveyed show that 35 per cent of them had IT security staff with no formal training at all.
Another finding that Dr Clutterbuck flags for further consideration is that only 12 per cent of businesses have a forensic plan to implement following an attack.
“This feels way too low,” he explains. “Forensic examination looks at the digital footprint of the cyber crime scene. And, just like at any crime scene, there is so much to be learned by thoroughly understanding how the crime unfolded.” Clutterbuck suggests that vital opportunities to learn are being missed. “There is a feedback loop of insight, as understanding of the incident unfolds. This can help the company to learn, to change and to better protect its systems for the future.”
Dr Clutterbuck, who spent many years as an industry practitioner before making the switch to academic research, was unsurprised that the fear of negative publicity stopped 20 per cent of companies going public about attacks. “Many companies deal with data breaches quickly but quietly, with the possibility of negative publicity always at the forefront of the business mind. The online business environment is highly competitive. Customers must trust that their transactions are safe.”
There is considerable debate in Australia about whether disclosure should be mandated by law. In 2011, the US Securities and Exchange Commission mandated that publicly-traded companies had to report cyber attacks to regulators and explain measures they planned to take to close any cyber security gaps, according to the SEC guidance. There is no such requirement for Australian businesses.
Finally, Dr Clutterbuck questioned whether the declared 44 per cent of cyber attacks coming from inside the business was a reliable indicator. “The stealing of laptops and other hardware has been found to be a feature of poor equipment management rather than criminal behaviour. When computer hardware has not tracked and managed professionally, this figure becomes distorted.”
The Cyber Crime and Security Report is to become an annual benchmarking of cyber security for Australian business.