NZ business vulnerable to cybercrime

Fake charity appeals aiming to solicit credit card donations are often targeted at Australia and New Zealand. Photo / AP

As computer experts gather for one of the world's most important annual IT security conferences, new research suggests New Zealand businesses are more susceptible than most to the dangers of cybercrime.

Ahead of this week's annual RSA Conference in San Francisco - which brings together thousands of IT professionals to discuss keeping computer networks safe from attack - security company Symantec released a global study into the impact cybercrime was having on businesses.

Symantec's 2010 State of Enterprise Security study polled senior IT staff at 2100 businesses, both large and small, including 75 in New Zealand and 125 in Australia.

The local results suggest that on average, New Zealand businesses suffer more through cybercrime than businesses around the world typically do. Symantec did not provide survey results specific to New Zealand but said 89 per cent of the 200 Australian and New Zealand organisations it polled had reported experiencing cyber attacks over the past year, compared with 75 per cent of businesses globally.

Craig Scroggie, Symantec's Pacific region managing director, says he suspects cybercriminals were achieving a higher strike rate in this part of the world because we have a more relaxed culture.

New Zealand and Australian businesses are not as stringent on enforcing effective IT security policies as countries like the US, Scroggie says. We also tend to be more generous when it comes to helping out with what appear to be good causes.

He said fake charity appeals aiming to solicit credit card donations for causes - such as last month's earthquake in Haiti - are often targeted at computer users in the region because cybercriminals know they will get a better than average response here.

"Perhaps the reason we're reporting a higher number of attacks is that we've got a little further to go in terms of vigilance, and the cybercrime community tend to invest in where they'll get the best results."

Meanwhile the rise of cloud computing - IT applications delivered over the internet - is being tipped as a possible solution to many of the internet-related security issues businesses are facing.

Opening his company's annual week-long conference in the US yesterday, RSA president Art Coveillo said the rapid shift to cloud computing was "our opportunity to turn the way we deliver security inside-out".

"I say that because the cloud will force organisations to pay serious attention to their security management processes," Coveillo told the conference.

"We have the rare opportunity for a do-over, to be present at the creation and roll out of this new wave of computing with security built in from the get-go. We can be in on the ground floor to create an infrastructure that is actually more secure and more enabling of innovation than today's physical infrastructures."

A number of other security companies at the RSA conference are also focusing on the opportunities they see to cash in on the growing demand for cloud-related services.

Speakers at the event are also addressing ways to better educate computer users about the dangers of the criminal gangs behind the majority of internet attacks with a senior Microsoft executive suggesting IT security should be treated by Governments in the same way as public health threats.

Scott Charney, Microsoft's corporate vice-president for trustworthy computing, said a social solution-based approach similar to the healthcare model could help stem the power of cybercriminal networks.

Criminal cartels are behind most botnet-based attacks, sending out malicious programs over the internet which infect unprotected computers and then use those machines to themselves spread the code.

Charney said in the same way illness is passed throughout a community, when a computer user's machine became infected with malicious code "you're not just accepting it for yourself, you're contaminating everyone around you".

The costs of educating users on how to protect their computers, and of eradicating malicious code from machines that were infected, could fall to Governments, he said.

"You could say it's a public safety issue and do it with general taxation."

The education message appears to be making some traction in New Zealand, at least among those in business who are responsible for IT. Symantec's study found 43 per cent of New Zealand and Australian IT managers rated cyber-security as their business's biggest concern, ahead of natural disasters, terrorism and "traditional" crime. Scroggie said that concern reflected the ever-present danger of spam emails sent to businesses with the aim of attempting to steal confidential information.

"While traditional crime happens fairly infrequently, the challenge we have with cybercrime is that it is just unrelenting," he says.

According to the Symantec study internet-based attacks are costing businesses an average of US$2 million a year. Criminals are stealing databases of customers' personal information, credit card details, intellectual property and financial information.

The high price a cyber attack can have on a business - both financially and to its reputation - is one reason the hundreds of vendors attending the RSA conference are upbeat about the prospects for their own businesses over the next year.

As Scroggie puts it: "We've got more than enough to keep us busy."

TOP LOSSES

* A global Symantec survey of 2100 businesses (including 75 in New Zealand) found the top three reported losses globally were theft of intellectual property, theft of customer credit card information or other financial information, and theft of customers' personal information.

* In New Zealand and Australia, the top three losses were theft of corporate data (reported by 53 per cent of companies), theft of customer information (also 53 per cent) and identity theft (37 per cent). Australian and New Zealand businesses said the top three costs associated with cybercrime were loss of company data, damage to their brand, and lost revenue.

* Globally, internet-based attacks are costing businesses an average of US$2 million a year.

Simon Hendery is attending the RSA Conference 2010 in San Francisco as a guest of RSA.