Mum's the word over IT fraud

New research suggests that cyber-crime in the work place is something of a silent epidemic.

While most large New Zealand organisations admit to experiencing some form of IT security breach, a significant number are choosing to keep quiet when it happens.

That is one of the findings of a new survey on computer crime and security carried out by the University of Otago.

The survey polled over 200 businesses, government agencies and other large organisations and found 87 per cent had experienced security incidents ranging from virus contamination through to theft hardware, abuse of email or internet access, or cases of illegal downloading of music or movies. The average cost of these security incidents was substantial: $452,000 per organisation per year.

Despite the heavy financial burden computer crime and security breaches place on organisations, almost half of those surveyed told the researchers that when they got stung, they kept the details to themselves.

The most common reason cited for not reporting intrusions or computer crime to the police or other authorities was that competitors could use the information to their advantage.

Many organisations said that rather than involve the authorities, they believed that seeking some sort of civil remedy was their best resort in such situations because negative publicity about the incident would hurt their organisation's image.

More than half also claimed to be unaware of law enforcement agencies' interest in such incidents.

The source of these findings - the New Zealand Computer Crime and Security Survey - was released this month and is touted as the first survey of its kind to review IT security in New Zealand.

Modelled on the annual Computer Crime and Security Survey conducted by the US-based Computer Security Institute (CSI) and the FBI's Computer Intrusion Squad, the New Zealand survey will also be conducted annually.

It aims to provide a comparative benchmark for IT security in this country compared to the rest of the world.

While it probably goes without saying that a large number of IT professionals would like to see more money budgeted for their department, two-thirds of respondents to the survey said they believed aspects of security within their organisation were "inappropriately funded".

Levels of training in the security and IT forensics areas were also flagged as a concern by respondents.

"While most of the organisations reported they have at least some security technologies in place, not many organisations have staff with adequate training in IT security," says Spike Quinn, of Otago University's Security Research Group which conducted the survey.

"Few organisations are prepared for preserving digital evidence of computer-related incidents."

This finding reinforces results from another study Quinn completed last year which assessed IT managers on their knowledge of protecting a trail of electronic evidence for use in court.

"Most organisations did not have a forensic policy or realise the importance of it - it didn't feature on their radar. The commercial and legal implications of this are huge. Knowing how to preserve digital evidence in a way that makes it admissible in court is crucial. The protection of data can mean the difference between a conviction and a case being thrown out in a court of law," he says.

However, given the survey's findings around the reluctance of organisations to involve the authorities over cases of cyber-crime, Quinn's concerns about evidence preservation may go over the heads of many.

The issue of the business community's unwillingness to report computer crime for fear of generating embarrassing publicity is one the police are aware of.

Responding to the Otago survey's findings, Maarten Kleintjes, national manager of the police electronic crime laboratory, told industry magazine Computerworld he was aware of the under-reporting issue.

As well as fearing bad publicity, organisations that fell victim to cyber-crime worried that police would not be interesting in investigating, he said.

To counter this police had plans to set up a high-tech crime reporting centre in partnership with other government agencies that would be staffed by IT experts able to deal with complaints discretely, Kleintjes told Computerworld.

Overall, the survey's findings provide some hard data to back up anecdotal views within the IT industry that many businesses are complacent when it comes to investing in security.

There seems to be an imbalance between the near-$500,000 average cost of security incidents and the amount organisations invest in staff, training and equipment to combat cyber crime.

As the report concludes: "managing security effectively should be recognised as a financially necessary part of operating a business rather than an option, yet two-thirds of respondents believed aspects of security were inappropriately funded."