Australia's IT security failing: AusCERT

Australian organisations' best efforts to secure their IT systems are failing, according to an annual survey released today by the nation's leading IT security advisory body.AusCERT, which conducts the survey in cooperation with law enforcement bodies, found that while Australian organisations were spending more time and money fortifying their IT systems against security breaches this year, losses to computer crime continued to rise.

Australian organisations' best efforts to secure their IT systems are failing, according to an annual survey released today by the nation's leading IT security advisory body.

AusCERT, which conducts the survey in cooperation with law enforcement bodies, found that while Australian organisations were spending more time and money fortifying their IT systems against security breaches this year, losses to computer crime continued to rise.

The survey revealed that average private and public sector financial losses due to reported computer security breaches increased 20 percent over the previous financial year to AU$116,000 per organisation.

At the same time the number of organisations that reported they were coping well with computer security issues, fell six percent to just five percent of all organisations.

AusCERT general manager, Graham Ingram, said Australian organisations were simply unable to keep pace with the rate at which new weaknesses in their systems were being discovered.

"Organisations simply cannot keep up with the rate at which vulnerabilities are now being discovered and disclosed and respond accordingly. It is unsustainable and placing organisations at greater risk," said Ingram.

Ingram said that reported attacks on Australia's computer systems appeared to be getting "more harmful" in nature.

According to AusCERT, average losses due to attacks against systems within Australia's critical national infrastructure almost doubled that for non-critical infrastructure.

The survey also found that electronics attacks compromising the "confidentiality, integrity and availability" of Australian network and data systems had jumped seven percent, and now accounted for nearly half of all reported abuses.

Detective Inspector, Peter Wheeler, of the Victoria Police's major fraud investigation division, all but conceded that the law enforcement authorities could now only hope to minimise the damage caused by computer crime.

According to Wheeler, it was now time for the community to abandon traditional notions of law enforcement when it came to cybercrime.

Wheeler said "if businesses were to report absolutely everything to police the reality is that they wouldn't be able to cope with the workload".

He is advocating a shift from a model that relies on police investigation and prosecution procedures to one whereby businesses and individuals undertake a greater responsibility to prevent computer crimes before they happen.

Wheeler also said that businesses -- currently nervous about how reported security breaches would be perceived by customers and shareholders -- needed to be less reticent with discussing their affairs with police and adopt a more cooperative model for tackling cyber crime.

"As time progresses, there's a need for that resistance to break down and to actually embrace law enforcement in a partnership approach to solving some of these issues and problems," he said.

Among other striking findings in the survey released today, it was found that computer viruses and Trojans accounted for 45 percent of all organisations' total financial losses due to computer attacks for 2004.