Security incidents going unreported: CERT Australia
- — 18 February, 2013 12:46
Computer Emergency Response Team (CERT) Australia has called for more Australian organisations to report cyber security issues to the police following the results of its annual survey.
The Cyber Crime and Security Survey 2012 received responses about cyber security preparedness from 255 companies, which partner with CERT Australia. According to the survey, 44 per cent of respondents did not report cyber security incidents to law enforcement agencies such as the Australian Federal Police (AFP).
When asked why they had chosen not to file a report, 74 per cent stated that they did not think the incident warranted investigation.
In addition, 35 per cent of respondents wrote that they did not believe law enforcement agencies had the capability to conduct an investigation while another 26 per cent believed the cyber criminal would never get caught.
Of the companies who did report one or more incidents, 44 per cent were filed with a law enforcement agency while 29 per cent contacted CERT.
“Out of those respondents who did report a cyber security incident to law enforcement, 33 per cent stated that it was their understanding the incident was not investigated and 29 per cent stated they did not know the outcome from the referral, while 8 per cent of matters referred to law enforcement were reported to have resulted in a person being charged,” the survey said.
“These findings highlight that the CERT needs to articulate to business the benefits of reporting cyber security incidents to CERT Australia and to law enforcement, and that all information provided to the CERT is held in the strictest confidence.”
Turning to the type of cyber security incidents companies experienced, theft of a notebook, tablet or mobile device was the most common security issue with 32 per cent reporting that this occurred.
Viruses or worm infections were experienced by 28 per cent of respondents while Trojans/rootkit malware affected 21 per cent of businesses.
Unauthorised access and breach of confidential information were reported by 18 and 17 per cent of respondents. In addition, 16 per cent of companies experienced denial-of-service attacks.
Of the respondents who knew they had suffered an electronic attack, 71 per cent reported they had been subject to between one and five external attacks, whilst 44 per cent reported they had been subject to one or more internal attacks.
Turning to the computer security technologies used by organisations, more than 90 per cent of respondents indicated that they use antivirus software, spam filters, and firewalls.
In addition, more than 80 per cent said that they use access control and virtual private networks (VPNs) while 60 per cent use intrusion detection systems (IDS).
Almost half of respondents had deployed reusable passwords and multifactor authentication technologies such as biometrics, smartcards and tokens.
The survey also found that basic security policies are being applied by the majority of surveyed organisations. For example, 84 per cent deploy user access management while 73 per cent have external network access control.
However, CERT Australia reported that there are still areas for improvement. Less than half of respondents had plans in place for the management of removable computer media, such as USB sticks, and less than 25 per cent had policies and procedures in place for using cryptographic controls.
Only 12 per cent of respondents reported having a forensic plan in place. According to CERT Australia, these plans help monitor use of the ICT systems, provide mechanisms to recover lost data, and provide ways to protect information on systems.
While there were still areas for improvement with security policies, the survey did find that 52 per cent of respondents had increased their IT security expenditure in the previous 12 months.
“While it is unknown where this expenditure was directed within an organisation, it is a positive step demonstrating the need for continual investment in information security,” read the report.
Forty-two per cent had not increased their spending and 6 per cent did not know if their spending had increased or decreased.
About 11 industry sectors took part in the CERT Australia survey, with the greatest representation coming from energy (17 per cent), defence industry (15 per cent), communications (12 per cent), banking and finance (9 per cent).
Follow Hamish Barwick on Twitter: @HamishBarwick