Firms ignore govt security plans: Symantec
Organisations responsible for the security and well-being of Australia's infrastructure are less aware of the government's own protection plans and less willing to cooperate with them than in previous years, according to a survey released by Symantec today.
(/lalala image by Hobvias Sudoneighm, CC2.0)
The Critical Infrastructure Protection Survey was conducted by Applied Research and included 150 respondents within Australia, from the total of 3457 organisations surveyed worldwide.
It found that Australian organisations had a lower awareness of the various critical infrastructure protection (CIP) plans that the government had set up and were less engaged in them than in the past.
These plans include the Critical Infrastructure Resilience Strategy (PDF), the consultation paper (PDF) for the upcoming Cyber White Paper and the Trusted Information Sharing Network.
Vice president and managing director of Symantec, Craig Scroggie, said this was a significant issue in Australia due to who manages our infrastructure.
"In Australia, a large percentage of our critical infrastructure is privately owned or operated by a commercial company — they're not really government operated per se — and the government see their strategy as a way of improving the partnership between industry and government to improve the protection of critical infrastructure."
He said that the primary mechanisms of CIP plans were to build partnerships between business and government, but, according to the survey, only 30 per cent of Australian respondents were somewhat or completely aware of the government critical infrastructure plans being discussed, down from 66 per cent last year.
In addition, just 28 per cent were completely or significantly engaged in government CIP plans, down from 60 per cent last year. That could be because Australian companies are now less willing to cooperate with the government's plans. Last year, 72 per cent of respondents said they were willing. This year, that figure was down to 56 per cent.
But Scroggie said the risks to critical infrastructure hadn't gone away and in fact might be more significant.
"In the last 12 months we've seen an increase in the number of attacks on infrastructure. We've seen not only Stuxnet, but we've had Duqu, we've also had Nitro recently," he said.
"When we think in the backdrop of Australia, we see the advent and deployment of the National Broadband Network, we've got e-health strategies coming online, that type of critical infrastructure are pretty important. If they were targeted maliciously, that could impact not just companies, but society at large."
While Australia hasn't had highly publicised attacks on the scale of the RSA-Lockheed Martin incidents, Scroggie said that didn't mean they weren't happening.
"While we may not have had the power network impacted, there are government agencies in this country that are under attack in a very malicious way designed to try and take down everything from the web system to infiltrate their networks. They're not a matter of public discussion because whether it's a company or a government agency, no one likes to talk about the serious risk of the cyber threat that they face."
Symantec director of government relations and public affairs, Ilias Chantzos, said that a large part of the problem was that, unlike most states in the US, which have data breach notification laws, Australia had none.
"In Europe, there are discussions about mandatory cross-sectoral requirements to have a security breach obligation for companies losing personal data and already such breach obligations exist in countries in Germany and exist for all of Europe for the telecommunications sector," Chantzos said.
"We obviously have the Australia Law Reform Commission's recommendations tabled in tranche two to be passed as law, and the quicker that happens, the easier the issue is going to be to quantify and measure," Scroggie said.
Verizon recently stated that Australia's lack of data breach notification laws were beginning to hurt its reputation as a leader in information security, a view echoing international attorneys-general who have said Australia should implement breach notification laws as a matter of priority. The lack of laws has also seen Privacy Commissioner Timothy Pilgrim push for more powers to chase companies that have been careless with their customers' personal information.