Govt caught in internet-security time warp
Today is Safer Internet Day, the day when the government likes to show that it cares about our internet safety. However, the government's press barrage has reduced my confidence that the government is on the pulse of cybersecurity threats.
We received a release from Communications Minister Stephen Conroy saying that "looking out for your family and friends is an important part of keeping everyone safe online", with the catchline for this year's Safer Internet Day apparently being: "discovering the digital world together, safely". He announced the release of a printable "Easy Guide to Socialising Online" (PDF), and pointed again to his expensive red button, which has been extensively ridiculed.
I had a look at the guide. I wouldn't recommend it if you don't like fluoro colours, or if you think you have a skerrick of technical ability, but it wasn't this release that made me wonder about the government's ability to do anything about cyberthreats. It was actually one sent out by Attorney-General Nicola Roxon. She, together with the Minister for Home Affairs and Justice Jason Clare, has used Safer Internet Day to release a report from the Australian Institute of Criminology. The report lays out the threats that small businesses are facing, including malware, wireless-internet vulnerabilities, online fraud and compromised websites. However, it's based on a survey carried out in 2006-07.
The report says, "Although four years can be a long time in the cyberworld, the [Australian Business Assessment of Computer Use Security] survey data remains one of the few sources of information on the computer-security risks faced by small business."
Yes; four years is a long time in the cybersecurity world. Six years (we are in 2012, aren't we?) is even longer. So, although I don't have any problems with the advice that the ministers released with the report — install security patches and firewalls, offer customers a secure site for entering personal information, introduce staff internet-usage policies and increase physical security of computers and servers — I don't think it's useful to spout stats saying that 14 per cent of small-business respondents had reported encountering one or more security incidents in 2006. Not only do I think that this number would be much higher now, but the average financial loss of $2431 isn't even vaguely accurate anymore.
The fact that 84 per cent of businesses were using antivirus software, 63 per cent were using anti-spam programs and 58 per cent were using anti-spyware tools is interesting, but this doesn't tell us what the state of small-business security is now. Ditto that only 70 per cent of small businesses were using firewalls to protect their computer systems, and only 7 per cent had policies in place stipulating acceptable computer use by staff.
I contacted the attorney-general's department to ask them about the age of data, but haven't received any response.
What do you think? Is this data still useful, or does the government really need to get some up-to-date information?