Gartner Group warns of Net vulnerability

BRISBANE (SCMP) - Asian businesses are woefully unprepared for crippling attacks over the Internet, an international conference was told on Tuesday. Joe Sweeney, an Internet specialist with Gartner Group, said 80 per cent of companies in the region had faced threats to their networks, yet few had taken adequate precautions to prevent a major disaster.

"It doesn't even register on the radar screen for many of them, but the problem is very real," he told attendees of Gartner's Australia Symposium/ITxpo 2000 in Brisbane this week. "The managers I meet in this region don't even want to know about this stuff because they have other things to worry about."

The threat from hackers, corporate espionage and even blunders by poorly trained staff has increased as more companies put their operations online looking for customers and increased efficiency.

There are now regular reports of Web sites being defaced, information being stolen and the embarrassing accidental disclosure of people's personal data.

Relatively crude viruses such as Melissa and ILOVEYOU created widespread disruption for the Internet, shutting down networks for days and leading some analysts to predict doom if anyone with significant resources and enough motivation ever decided to launch a catastrophic Internet attack.

Gartner has also tracked the rise of "hactivism" or politically motivated network attacks in Asia recently. Even countries are getting in on the act, and there have been reports of China openly encouraging online attacks on Beijing's political adversaries like Taiwan.

Mr Sweeney said that without an adequate system in place, companies have trouble formulating an appropriate response to security incidents.

He noted two recent incidents in the Philippines in which a company overreacted and shut down its network when it thought a hacker was trying to break in. At one point, the information technology staff just pulled the plug on the server without going through a proper shutdown.

To deal with future problems, Mr Sweeney said a small, but growing number of companies are investing in cyber-emergency response teams - a rapid-reaction force of technicians, legal experts and managers who can detect, contain and remove a threat before it blows up into a major disaster.

"They need a good mix of people who can move fast and make the right decisions," he said.

The teams can be given sweeping power over the corporate network, with the ability to override management decisions and fire workers who violate security protocols. They are encouraged to think like hackers and try to stay one step ahead of the threat.

The demand for security specialists has put a premium on salaries, and Mr Sweeney estimated top staff command wages in the range of US$250,000 a year.

But even if hackers are tracked down, how companies deal with them can be a sensitive situation in Asia, Mr Sweeney said. Involving the local police in an event can turn a computer problem into a major public relations disaster.

"In China, they shoot hackers," Mr Sweeney said. "As a multinational company, do you want that on the books?"

Meanwhile, countries are getting active where corporations are not, setting up national emergency response teams.

Hong Kong is one of the few developed economies in the world without a formal team in place to deal with cyber-emergencies. While Singapore, Japan and most Western countries have had government-supported programs in place for years, the Hong Kong Government has dealt with computer emergencies on a piecemeal basis, using staff from several departments.

Hong Kong Government officials last week told Legco that an emergency response centre will be in place by the end of the financial year.