Security continues TO take a low priority in IT budgets, despite the fact security incidents were experienced by 87 per cent of New Zealand organisations, according to a survey by the Security Research Group (SRG) of the University of Otago. The most common incidents suffered by local organisations were virus infections, laptop or mobile hardware theft, insider abuse of net access or email and ‘ripping’ of music or movies.
While most respondents (85 per cent) to the survey monitored for unauthorised use and almost a quarter (22 per cent) experienced intrusions, only 16 per cent reported those incidents to law enforcement agencies.
The main reasons intrusions were not reported were that respondents did not know of law enforcement interest (32 per cent) and the fear negative publicity would harm stock prices or image (24 per cent).
The 2006 New Zealand Computer Crime and Security Survey, released last month and conducted in partnership with the Government Communications Security Bureau, Centre for Critical Infrastructure Protection, New Zealand Police and the Computer Security Institute, also found that security takes a relatively low priority in most IT budgets. Two-thirds of local organisations invested less than 5 per cent of their IT budget on security issues — a level that Australian research has found to be insufficient. More than two-thirds of respondents believed aspects of security were not appropriately funded.
The local decline in use of cyber-incident insurance also continued in 2006, with use sliding from 31 per cent in 2004 to 16 per cent in 2006. The most common security effectiveness evaluation technique was email-monitoring software (84 per cent), followed by web-activity monitoring software (79 per cent) and penetration testing (72 per cent). Automated tools to check network configuration were being used by 46 per cent of respondents, up 11 per cent compared to last year’s survey.
KPMG IT advisory partner Rupert Dodds, who was not connected with the survey, questions why so many incidents had been reported at a time when no new security risks had appeared. “Security threats and risks have remained broadly static for a number of years. Businesses know what the security risks and issues are and we know how to fix them. So why then is there still a major problem, with 87 per cent of survey respondents experiencing an incident?”
Dodds says he believes within many businesses security is not discussed as a business risk. It is seen as a technical issue and that partly as a consequence, security is under-funded. “Many businesses see security as a technical issue, whereas security is foremost a people and process issue.”
Dodds says another problem is businesses not assigning security to properly qualified staff. According to SRG, 53 per cent of respondents have no IT staff with any security qualification. Dodds says internationally-acknowledged certifications exist like Certified Information Security Manager and Certified Information Systems Security Professional, “but these have a low uptake in New Zealand”.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.