Bosses put company data at risk

Executives may want to use new devices before the IT department has made them safe. Photo / APN

Bosses bringing their iPads or new smart phones into work can be putting their own companies in danger of costly cyber attacks, says a security consultant.

Aura Information Security's Andy Prow said executives could be the most risky members of an organisation because they might not understand the cyber threats they faced.

"The first people in an organisation to get iPads or Blackberry's will be the [executives] because it's cool and they want it." Prow said.

"IT says, 'Well we don't support that device yet', and the execs say, 'Well it doesn't matter ... set it up so I can access my email'."

However, while more bosses were wanting to use new devices at work, Prow said they were not necessarily secured properly.

"Particularly at the executive level they understand why the corporate systems must all be looked after and protected but haven't understood why things they use on a regular basis must also come under those constraints."

Prow also said the types of information that executives were accessing tended to be some of the business' most crucial information such as sales plans or information about new products.

However, if corporate data was breached or "millions of dollars go out of a company that shouldn't have" after a cyber attack, bosses were the ones that had to answer to their board or the media, he said.

Prow was part of a panel discussion on cyber crime hosted in Auckland yesterday by insurance company Chartis.

According to Chartis, cyber crime is on the rise and the risk of data theft - whether intellectual property or client details - could be hugely expensive for a business.

Chartis' Ian Pollard cited a study which said cyber attacks cost New Zealand companies $625 million last year.

As well as outsiders trying to get into a business' systems, disgruntled employees could also be responsible for cyber crime and the theft or leaking of data, Pollard said.

Ernst & Young senior manager of fraud investigation, Matt Hammond, was also a speaker yesterday and said many businesses had "massively understated" cyber threats.

Hammond said the "monetisation of data on the black market" has created a world where people "can convert data into cash".

DAC Beachcroft's Mark Anderson said there was a myth in business that only companies holding credit card details would be a target for cyber crime.

"There's a real commodity in data beyond credit card details," he said.

Prow said hacking a company for data had been turned into a "business operation" and overseas attacks were very difficult to trace.

He said: "We see a huge amount of complacency [from companies] ... cyber security just isn't on their radar, it's been in the news but it's that whole, 'It won't happen to us, we're not a target, we're down in New Zealand, we don't have any juicy data'."

CYBER ATTACKS
July 2010: Singapore's largest banking network brought to a halt and customers were unable to access ATMs or internet banking services.
August 2011: Sony PlayStation hacked and 77 million users had confidential information stolen.
October 2011: Thai Prime Minister Yingluck's Twitter account hacked and tweets criticising the Government sent out.