Despite the current focus on security stemming from the massive data breaches that resulted from hackers exploiting low- and high-level system vulnerabilities, few businesses in the UK and Australia are interested in auditing systems -- even when they're free.
The head of the UK's Information Commissioners Office (ICO), Christopher Graham, on Wednesday complained that the bulk of private businesses his office had offered free security and privacy audits to had snubbed them.
Just 19 per cent of the businesses his officers contacted took up the free offer, which was aimed at ensuring its private sector complied with the nation’s data protection laws.
“Lenders, general businesses and direct marketing companies account for almost a third of total complaints to the ICO, and businesses were the top sector for reporting data security breaches to us last year,” said Graham.
Perhaps the most widely reported of those breaches occurred at pirate hunting UK law firm, ACS Law, which inadvertently posted its email database during the restoration of its website after suffering a distributed denial of service attack.
“Despite this, many of them are still resisting our offer to undergo audits," Graham continued. "We’ve written to organisations we consider to be high risk but the response has been disappointing.”
Public sector agencies were more willing to undergo the data protection audits, with 71 per cent agreeing to the process. Still, just 30 of the 100 organisations which had been made the offer took it up.
Graham insisted that the audits were not about “naming and shaming”, despite having done just that to several National Health Service organisations in the past week.
The private sector audit drive was in partially a response to the fact that 186 of 603 the breaches reported to the ICO in 2010/11 occurred in that sector.
Australia’s not so different landscape.
If Australia’s Office of the Information Commissioner were to make a similar offer, it would probably record an even lower uptake, according to IBRS security analyst, James Turner.
“Most organisations wouldn't be able to take advantage of it because they simply don't have sufficient staff to take on extra load that the results of such an audit would probably require,” he told CSO.com.au.
Jason Edelstein, chief technology officer of security firm, Sense of Security, said that staffing shortages in the public sector would undercut such efforts, but that the private sector had become more cautious as a result of the spate of attacks by groups like Lulz Security and Anonymous.
“As most government departments are terribly understaffed they would be reluctant to facilitate such an audit,” Edelstein told CSO.com.au.
“Once it is on record there are issues they are forced to put in place an action plan with remediation deadlines, but with limited funding and resources how would they remediate?”
On the other hand, Edelstein claimed to have “a number of organisations” currently undergoing privacy audits in response to the attacks launched by Anonymous and Lulzsec.
“Many of them are starting to design solutions around the encryption of PII,” he said.
But Australia faced a broader underlying challenge that gave public and private sector organisations little incentive to respond to real or perceived threats.
“Australia has such skimpy privacy laws that very few organisations are incentivised to take this issue seriously,” said Turner.
“When the office of the privacy commission wants to get militant, the best they can punish an organisation with is a sternly worded press release.”
In contrast, the UK’s information commissioner was recently granted authority to issue fines up to £500,000 (AU$747,000) for significant data breaches.
Australian organisations were made a similar discounted audit offer, according to proprietor of penetration testing firm, Hack Labs, Chris Gatford, but few took it up.
“The NSW Auditors General Department tried a similar program, offering to pay 50 per cent of any security assessment piece of work. This ultimately was retired as very little uptake occurred,” he said.
That offer's appeal was tarnished by the plan for audit results to be shared with Attorney Generals Department’s Computer Network Vulnerability Assessment program, which was part of its Trusted Information Sharing Network for critical infrastructure providers.
Gatford agreed that giving Australia’s Information Commissioner some teeth could make conducting such audits worthwhile.
“The data protection act has a some teeth in the UK, where here, in Australia, we really don't seem to have any legal muscle or if we do it is not being flexed,” he said.
“I have yet to see any action taken to penalise organisations for loss of sensitive data on Australian residents,” he added, pointing to the Australian Privacy Commissioner’s response to last year’s Vodafone breach.
Businesses should be assessing the maturity of their security and governance program, said Gatford, and if that was not possible, an audit against best practice of all common IT security control domains was a good starting point.
Edelstein recommended annual penetration tests, ongoing vulnerability management, encryption of personally identifiable information and the implementation of a data classification policy that reflected the security requirements for different types of information.