Oz law enforcement only charges 8% of reported online crooks

Oz law enforcement only charges 8% of reported online crooks

Summary: Even though businesses are reluctant to admit that they've been subject to a data breach, those that do risk the negative publicity find that their attackers are only charged 8 percent of the time.


Only 8 percent of reported online attacks on businesses have resulted in a criminal being charged, according to the results of Australia's first Cyber Crime and Security Survey (PDF).

The survey was commissioned by Computer Emergency Response Team (CERT) Australia and conducted by the Centre for Internet Safety at the University of Canberra. It was sent to 450 companies that are CERT Australia stakeholders.

Despite it being the first year, the Attorney-General's Department said in a media release that online attacks are becoming increasingly targeted and coordinated. It cited results of the survey, which showed that 20 percent of respondents experienced an attack in the past year.

The survey found that attackers are typically getting away with no recourse. About 44 percent of breached organisations opted not to report a security breach. When questioned as to why, 20 percent said they were afraid of negative publicity.

About 74 percent thought that the security issue didn't warrant an investigation by law, but 35 percent didn't think law enforcement could do anything, and 26 percent thought that an investigation would be useless in catching the perpetrators.

The thinking of the latter organisations may have been the most accurate; of victims that did report cybersecurity incidents, just 8 percent resulted in a person being charged.

Of those that did report a breach, 33 percent of reporters said their allegations were not investigated, and 29 percent never heard back about what happened to their investigation.

Attackers have been gaining access primarily through automated attack tools, or taking advantage of the fact that the organisation had unpatched or unprotected software vulnerabilities, or misconfigured their operating systems, applications, or network devices. A further 20 percent of the victims reported having experienced more than 10 security incidents.

However, the victims have typically been making an effort to boost their security; half of all breached organisations reported increasing their spend on IT security in the past 12 months.

Additionally, over 90 percent of all organisations surveyed reported using firewalls, anti-spam filters, and antivirus software, and nearly two thirds use IT security-related standards.

Australian Attorney General Mark Dreyfus said that the inaugural survey report would provide a useful foundation from which to judge how online attacks on businesses are changing.

"Year on year, we're going to be able to carry out this survey again, [and] examine from this baseline whether or not there's a change in the nature of cyberattack, change in frequency or scale or intensity of cyberattack, and take appropriate remedial action," he said at its launch on Monday.

Despite the poor performance of law-enforcement agencies at catching those responsible for online attacks, Dreyfus encouraged businesses to better engage CERT Australia.

"The reason for setting up CERT Australia is to make sure that business understands that there is somewhere to go to, somewhere to complain to," he said.

Topics: Security, Government, Government AU, Australia

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Police dont have the skills and many don't care because its not 'real world

    The reason most of these cyber incidents remain unsolved and not investigated by Police is that a vast proportion of Police jurisdictions simply don't have the computer skills, police don't want to learn anything about computers, States simply don't have the funding and most Police don't take Cyber Crime seriously preferring to catch 'real world' crooks.

    Police also have a operating system bias. If the crime was perpetrated on a Windows machine, something that they are familiar with (better hope its XP) they may look into it, if its conducted using a Linux or OSX machine don't bother contacting them because they don't want to know about it.

    I did here a story from a reliable source of one Australian State jurisdiction that removed passwords from their police systems because their Police users complained about having to use complex passwords, and I also happen to know that the same jurisdiction doesn't have any cyber crime investigators with any computer skills, understanding or experience, Microsoft Office is a challenge for most users in this jurisdiction - hackers rejoice your nirvana is here!

    It seems that only the Feds in Australia take Cyber crime seriously, with many of the States only providing lip service to secure practices within their police organisations and in their investigations so they can share Federal data, the current mantra being 'let something hit the press first then we will do something about it, until then its not a concern.'

    So, you see, with Police incapable of acting for various reasons or just not wanting to act because cyber crime was perpetrated on the wrong computer or it doesn't involve 'real world' crooks, its no surprise that the resolution stats are as dismal as they are.
    • Do you have any evidence to support your contentions?

      No, I thought not.
      • Evidence to the Contrary

        This is not an academic thesis. The evidence is in the article and anyone undertaking their own independent research can easily find more about the state of Cyber capability of Policing in Australia, RTI is a good place to start. I leave it open to all readers to investigate the facts and make up their own mind. As for 'Evidence to support your contentions' do you have any to support your assumption that I have no evidence ?