Sapsiwai - Fotolia

Relaxed attitudes in Australia stalling IT security investment

The relaxed attitude to IT security in Australia is holding back much-needed investment in security technology

Australia’s “she’ll be right” attitudes are holding back some enterprises when it comes to adopting advanced computer security platforms, according to CyberArk local country manager Sam Ghebranious.

That attitude has persisted in local organisations, he said, but recent high-profile attacks against iconic Australian retailer David Jones meant that computer security was finally an issue receiving board-level attention.

“Even if the attack on David Jones was just accessing customer names and addresses it was an embarrassment,” said Ghebranious.

CyberArk sells systems that manage and protect privileged user accounts in a bid to prevent hackers from getting access to the keys to the kingdom. The firm has installed its system in three of Australia’s big four banks, and it is also making headway in the government, utilities and resources.

But with only around 95 local customers for its systems, it appears there are still many organisations either reliant on alternative systems or placing their faith in perimeter security, according to the company.

Ghebranious’s caution came a day after David Irvine, the former head of Australian spy agency Asio, warned that the nation at large was facing an increased risk from having its computer systems compromised by terrorist organisations.

Speaking at the launch of the Australian Strategic Policy Institute’s (Aspi) second survey of cyber maturity in the Asia-Pacific (Apac) region, he warned that these attacks would not only be levelled at government datacentres, but also against commercial operations, in the hope of disrupting normal business operations.

With as much as 5% of Australia’s gross domestic product now classed as “digital”, there is plenty of opportunity for the disruption of both normal commercial businesses and the broader national economy.

Read more about IT security in Australia

Aspi’s report noted the relative maturity of the Australian market with regard to overall computer security, but lamented the “paucity of coherent national cyber policy”. It did, however, acknowledge that this may be addressed by the government’s promised – but yet to be released – cyber strategy.

Widespread deployment of internet of things (IoT) networks was also identified as a potential new threat for enterprises, as it significantly extends an organisation’s online perimeter and makes it harder to protect completely.

The cost of disruption from unauthorised computer access is already high in Australia. In October 2015, HP released the Australian cut of the Ponemon Institute’s report into the cost of cyber crime. The average annualised cost of cyber crime, based on a sample of 28 Australian organisations, jumped by 13% to AU$4.9m.

It also revealed that the average cost to an Australian organisation to fix the issue was almost AU$420,000 and that it typically took 31 days to resolve a situation.

The report did note, however, that investing in security technologies and programmes could help keep the cost of disruption in check.

“For example, Australian companies with encryption technologies experienced average cost savings of AU$1.6m, while those with security intelligence systems, experienced average cost savings of AU$1.5m. In addition, companies with expert security personnel saved an average of AU$1m,” the report said.

There is certainly a growing appetite to invest in IT security platforms. For example, Australian bank and financial services provider Westpac revealed that it grew its IT security budget sevenfold in the past 12 months to better protect its data and operations.

During its recent symposium on the Gold Coast, analyst Gartner predicted that by 2017 the typical IT organisation will spend up to 30% of its budget on risk, security and compliance, and will allocate 10% of its people to these security functions – triple the levels of 2011.

Read more on Web application security