The 2005 Australian Computer Crime survey released today has painted a positive landscape for Australian IT professionals; however, end user education is still lacking and remains the weakest link in the security chain.
An overall decrease in successful attacks proves the message is getting through and problems are being addressed, Australian High Tech Crime Centre director Kevin Zuccato said when releasing the survey at the AusCert conference on the Gold Coast.
"But this doesn't mean IT security professionals can buy a banana lounge and sit on their laurels, there is still a lot of work to do," Zuccato said.
While denial of service (DoS) attacks have dropped in number, they were the greatest cause of financial losses in 2004.
Only 35 percent of respondents to the survey said they had experienced attacks so far this year, down 6 percent from 2004.
Infections from viruses, worms or Trojans fell 24 percent (88 percent in 2004, 64 percent in 2005) and the number of external attacks fell 7 percent from last year (81 percent in 2005). Of the respondent organizations hit by DOS attacks, 14 percent reported financial loss with total losses reaching $9 million. Every industry sector remains concerned about phishing and Trojan attacks, Zuccato said, but industry seems to be winning the fight.
Australia's Computer Emergency Response Team analyst Kathryn Kerr agreed the results are encouraging, but said changing end user attitudes is a big challenge.
"Consistently over last three to four years changing the users' attitude to security at the enterprise level has been a constant problem; there is the perception that this is contributing to attacks and that poor security culture is a perennial problem," Kerr said.
"The good news is more people are using standards, technologies, policies and procedures, which is helping."
The report found a 28 percent increase in the use of IT security standards from 2003, rising 37 percent to 67 percent in 2005.
In 2005, AusCert managing director Graham Ingram said, the focus is on identity theft. The use of legitimate identities for illegal activities has made the crime more difficult to detect and as a result new approaches have to be developed to help combat it.
"A lot of financial fraud has been based on false credentials - this has, in the main been the standard. Using legitimate credentials to conduct fraud makes it much harder to detect," he said.
Michael Crawford travelled to the conference as a guest of AusCert