Legal pitfalls in Australian IT security screw-ups

Legal pitfalls in IT security screwups

Australian businesses aren't switched on enough to the legal ramifications of lax IT security, according to analysts and lawyers.

The warning comes as focus on IT security issues, by both industry and government in Australia, have continued to grow over the past year.

Michael Warrilow, senior consultant at analyst META Group, told ZDNet Australia there is clear empirical data that shows companies have been taking an uncoordinated, uninformed, and unplanned approach to security.

-Research on IT spending shows a consistent underspend," Warrilow said. -I think that needs to change."

He estimates that currently Australian organisations are spending between one and two percent of their IT budget on information security. However, he does concede that at the big end of town this spending could be higher.

Warrilow argued that Australian businesses should be spending more like five to seven percent of their IT spend on information security, and estimates that this will be the case within the next five years.

Leif Gamertsfelder, head of the e-security group at law firm Deacons, admitted that IT security is a long education cycle with Australian businesses. But, he added, because the technology was so new that was the nature of the game.

And for businesses that don't get their IT security right?Gamertsfelder said the ramifications can be numerous, ranging from costly contractual disputes, to fines under the Trade Practices Act, or orders made under the Privacy Act.

Although Gamertsfelder said some Australian businesses were doing a good job in this area, Australia generally tended to lag behind countries such as the US.

He attributed this to a stronger focus on these issues in the US, because they are often subject to attacks earlier.

Research from GartnerG2 has also found that through to 2005, 90 percent of cyberattacks will exploit known security flaws for which a patch is available, or a solution is known.

A proactive security posture doesn't mean that you attack hackers before they you — it means you have a well-developed response plan and keep looking for the early indications of an attack," Richard Mogull, research director for GartnerG2, said in a statement.

Dr Adrian McCullagh, a solicitor at Freehills, also argued that both trends at the legislative level, and also recent cases, have highlighted a requirement for businesses to take a strong corporate governance position when it comes it managing their IT security.

McCullagh said Australian businesses had an obligation to change the environment to protect their information assets from both internal and external threats.

This view is shared by Martin McEniery, also a solicitor at Freehills. McEniery warned that unless businesses have an organisation-wide approach to IT security they are exposing themselves to risks that can't be addressed by technology alone.