The demand for mandatory data breach notifications in Australia has become louder as advisory firm, KPMG, has found in an annual risk report that some companies are using the lack of legislation as an excuse not to discuss security issues.
The report, entitled Risks and Opportunities, reported that security risks are being understated by organisations while inadequate research and development investment has risen to become the second most costly and the fifth most likely risk since the 2011 report.
According to KPMG Australia IT advisory partner, Ian Hancock, security risks are being understated both in terms of severity and the likelihood of the risk occurring.
“Companies don’t really want to talk online security breaches,” he said. “What they do instead is talk to the advisors in this space and have a number of closed industry groups which we facilitate. When we hold those discussions there is a lot more recognition of that risk so our belief is that it’s understated.”
He added that the fear of potentially exposing a company's brand by having public discussions about data breaches is another reason why some choose to rather not discuss.
Making the possibility of data breaches worse is the explosion of peronal devices onto the corporate network such as smartphones and tablets.
According to Hancock, this was increasing the likelihood of security breaches to occur because user behaviour was "unknown and unmeasured" with mobility devices.
“People are using the devices now for corporate and social purposes,” he said. “They are running the devices across public and private networks, using remotely to manage business critical processes and applications.
“All of this interconnectivity into the business processes through mobile devices is really changing the nature of the security threats that exist. My view is it’s taken a long time to control access to the Internet. The behaviours we are seeing are introducing new threats and issues.”
For example, the shift from PC based e-commerce to mobile e-commerce was causing security issues.
“The best example is the move from a [PC] based six to eight character length password which is changed on a 30-day basis to using a four-digit PIN on your mobile device,” he said.
According to Hancock, mobile encryption standards are different and IT managers are unable to manage and monitor the device in real time or respond to unusual behavioural patterns that might have occurred.
“I think security professionals are playing catch up on the things they need to do to manage the environment,” he said.
Follow Hamish Barwick on Twitter: @HamishBarwick