Data leakage is the single biggest IT security issue facing Telstra with up to 500 cases reviewed each year by the telco's investigation unit.

According to Telstra's corporate security and investigations (CSI) unit general manager, Nic Martin, data leakage is the biggest risk to Telstra.

"We are reviewing up to 500 cases at any given time," he said.

"The most common cause for leaks is employees slipping classified information to the media, while cybercrime, notably denial of service (DoS) attacks, regulatory and compliance risks, and geopolitical issues follow in Telstra's top 10 security risks."

The company has set up an anonymous whistle-blower help line, which according to Martin, helps reduce the threat of data leakage from disgruntled employees.

"Some of the data leaks are from employees who are unhappy about something but feel they can't speak up; the whistle-blower line lets them voice their opinions without fearing they will be reprimanded," he added.

Martin said the unit is the hub of all Telstra's security operations from collaborating with state and federal police, to plugging data leaks, to getting sales, marketing and executive management on the security bandwagon.

Martin created three commandments to guide Telstra's security culture; team leadership, engaging users, and measuring results.

He describes the CSI unit, which has 75 staff across departments including law enforcement and agency operations, legal and court support, crisis management, and business resilience, as a self-reliant team which plays a part in all of Telstra's Asia Pacific security.

"Telstra plays a massive role in anything it is involved in; [the CSI team] has been tasked with running critical operations for the NSW Police during the Asia-Pacific Economic Cooperation (APEC) Summit, which is a lot of pressure," Martin said.

Speaking at the Security 2007 conference this week in Sydney, he said the team also supplies up to 300,000 pieces of information each year to the Australian Federal Police, under acts such as the Telecommunications Interception Act.

It is also responsible for pursuing threats made against call centre staff by disgruntled customers, and with security breaches made by Telstra, such as the publication of silent numbers where it offers to reimburse the customer with security equipment if required.

The team is responsible for garnering support from senior management and users which involves a string of security workshop sessions and translating complex problems into simple solutions.

"The staff in the group are the experts, so it is their responsibility to get senior management onside by showcasing our work in terms that mean something to management and in a format they can understand," Martin said.

"We produce a half-yearly report for management which keeps them informed and allows us to do our job; you must articulate what you do in a document if you want managerial support."

The CSI group held 113 face-to-face security briefings with executives last year, and 25 workshop sessions with internal departments with the biggest turnout drawing more than 2000 staff.

The team also designs security pitches to supplement large customer contracts.

"Security is not about return on investment or training; it's about seeing downward trends in security issues," Martin said.