There is very little good news in the 2003 Australian Computer Crime and Security Survey released today, which shows a rise in attacks and that the impact on business is more costly and damaging.
And that's despite increased spending in the last 12 months from the almost 70 per cent of the 214 public and private sector organisations surveyed for the report.
Even more disturbing is that business is less likely to report incidents to Police compared to the first survey published by Australia's national computer emergency response team (AusCert) in cooperation with the Australian Federal Police, Queensland Police, Western Australia Police and South Australia Police.
More than 40 per cent of respondents experienced one or more computer attacks which harmed confidentiality, integrity or availability of network data systems in the past 12 months.
There was a continuing trend towards externally-sourced attacks and average losses were estimated to be $93,657 compared to $77,084 in the 2002 survey.
Of those respondents who estimated the time it took for their organisations to recover from harmful computer security incidents, 12 per cent assessed that their organisations may never fully recover.
Despite high use of antivirus software and policies for developing controls against malicious software, 80 per cent were infected with a virus, worm or trojan and 57 per cent suffered financial loss as a result.
Alastair MacGibbon, Australian Federal Police high tech crime centre director, acknowledged most IT security incidents are not reported to police and steps are being taken to address this problem by engaging industry in a number of federal government initiatives, including the Trusted Information Sharing Network.
While the high tech crime centre is still being built, MacGibbon said it will eventually play a key role in partnering with business to combat cyber crime including future sponsorship proposals where law enforcement may look at sourcing financial support from business.
"But we would only consider sponsorship under the strictest of government guidelines," he said.
MacGibbon said the survey reveals that the private sector needs to put security policies and procedures in place to protect their information systems as the results show there is more work to be done.
Interestingly, only a few of the respondent organisations employ specialists with IT security certifications; MacGibbon pointed out that IT security is "not something you give to someone because they can program a computer".
Of those organisations with security-certificated specialists, vendor-based IT security certifications stood at 36 per cent and vendor-neutral certifications at 15 per cent.
Nearly 40 per cent of those surveyed were dissatisfied with the level of IT security qualifications, training or experience within their organisations.
Auscert general manager Graham Ingram said the results show most organisations are still finding it difficult to manage and protect their information systems.
"In some cases, it is clear that organisations aren't aware of some relatively basic security issues and have paid dearly," he said.