August 26, 2002, 3:42 PM — Australia's IT industry is talking tough about security but it's certainly not translating into dollars with medium to large companies averaging a measly spend of A$33,000 (US$18,000) per annum.
Even more alarming is that up to forty percent of businesses have no formal written IT policy and a further 34 percent spend less than A$10,000 a year on IT systems security.
According to a survey by consulting firm CSC of 80 medium to large businesses in Australia, organizations "baulk at the initial outlay" required to invest in security despite greater awareness and concern about the impact of a serious security breach.
Asked where this figure of A$33,000 is being spent CSC's director of global information security services Kim Valois said the survey didn't address this question but it is likely to be on a bi-annual audit.
"I suspect these organizations have a firewall and anti-virus software in place but no real strategic defense despite 70 percent of those surveyed rating the security of their IT systems as a high priority," Valois said.
Even more revealing is the fact that 80 percent were unaware of any security breaches or losses suffered by their company in the past 12 months.
Valois said a greater investment in systems used for preventative measures and procedures are needed to detect breaches and alert managers of disruptions or damages.
Interestingly, 69 percent of respondents nominated loss of an organization's assets or intellectual property as being a main area of concern.
CSC's senior security architect Gilbert Alaverdian demonstrated his expertise as an ethical hacker showing how easy it is to penetrate a system.
Alaverdian said hackers regard firewalls as gates that can be opened with the right protocols, rather than fences that have to be jumped over.
He said security is not really an obstacle because hackers just take advantage of common product vulnerabilities especially default configurations, poor or nonexistent security on servers or operating systems and older version applications which are vulnerable to penetration and weak passwords.
The survey sample was drawn from Dun & Bradstreet lists purchased specifically for the project and contained contact names for CIOs, IT managers and MIS managers. The main areas of concern were disaster recovery and business continuity planning and virus/worm outbreaks.