Australian based analyst Hydrasight has teamed up with Colorado-based researcher Enterprise Management Associates (EMA) to release a study on the current state of global enterprise information security.
The report draws a comparison between the theft or breach of confidential information and computer-facilitated financial fraud and the impact it has on organizations in terms of share price.
While the organizations studied were based in the US, the findings reflect a similar security environment in Australia.
Scott Crawford, senior analyst with EMA, said within four weeks of public disclosure of details of an information breach, negative responses show up in the form of falling share prices. The impact can be disturbing, he added.
"EMA recently followed the closing stock prices of six US companies which had disclosed an information security breach between February 2005 and June 2006.
"Within a month of disclosure, the average price of these stocks fell by 5 percent, and remained in a range of 2.4 to 8.5 percent below that of the date of disclosure for another eight months," he said.
"The stocks did not recover to pre-incident levels for nearly a year."
Michael Warrilow, Hydrasight managing director, said there is an historical and continuing lack of investment on securing sensitive commercial information in Australia. Warrilow said whether it's private customer data or 11 secret herbs and spices, it is a broad area which most Australian companies neglect.
"The reason some companies are doing so well in relation to protection from viruses and worms is that they have been battered for so long they had to get better protection, but not that many have even looked at internal identity or information management as such an idea is still relatively immature," Warrilow said.
"This is true across the board outside the finance and government space for security, but it is not all due to regulation; information security practices are just baked into the culture for better or worse. In the private sector companies do not have the classic, government-type mentality which is procedure-based and workers are forced to follow policy.
"Broader moves to bake security into products by vendors will make it easier for organizations, but there is still work to be done in the people side and once you get outside the government and finance space there is still a long way to go as most industries have either basic or rudimentary technology, even old usernames and passwords stored on Active Directory - this is an area where a lot of Australian organizations need to improve."