Australian small-to-medium enterprises are hesitant to invest in compliance with the Cybercrime Act 2001 due to fears over the size of the bill, according to Michael Warrilow, senior consultant, META Group.

Warrilow said companies were fearful about the investment required to comply with the new Act as they had already spent heavily to comply with the Privacy Act. He said the Cybercrime Act placed an onus on companies to implement appropriate technology security measures, to the point that their failure to comply can open them to litigation from other companies compromised by their inaction.

"A lot of people are fearful of [the cost] because of the Privacy Act," Warrilow told ZDNet Australia. "A lot of businesses spent a lot of money on the Privacy Act." However, Warrilow said it didn't need to cost businesses that much to implement.

"All they need to do is make sure they have reasonable technology steps in place," he said. "What the Australian law enforces is 'reasonable steps'." What is considered 'reasonable' differs with each situation depending on risk. A financial company dealing with large money transactions would have a greater risk, and therefore require greater protection, than a corner store, where what is considered 'reasonable steps' would be significantly less.

"One of the big threats people still tend to ignore is internal employees," said Warrilow. "Even in these days of hackers and crackers the most significant threat comes from internal employees." Organisations need to train staff in IT policy and what constitutes acceptable behaviour, so that if something does go wrong they can indicate they took reasonable steps.

Warrilow will tonight be giving a presentation on "IT Security: Governance demands diligence. How vulnerable are you?" for Sun Microsystems and Macquarie Corporate, a managed security company.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.