Warrilow said companies were fearful about the investment required to comply with the new Act as they had already spent heavily to comply with the Privacy Act. He said the Cybercrime Act placed an onus on companies to implement appropriate technology security measures, to the point that their failure to comply can open them to litigation from other companies compromised by their inaction.
"A lot of people are fearful of [the cost] because of the Privacy Act," Warrilow told ZDNet Australia. "A lot of businesses spent a lot of money on the Privacy Act." However, Warrilow said it didn't need to cost businesses that much to implement.
"All they need to do is make sure they have reasonable technology steps in place," he said. "What the Australian law enforces is 'reasonable steps'." What is considered 'reasonable' differs with each situation depending on risk. A financial company dealing with large money transactions would have a greater risk, and therefore require greater protection, than a corner store, where what is considered 'reasonable steps' would be significantly less.
"One of the big threats people still tend to ignore is internal employees," said Warrilow. "Even in these days of hackers and crackers the most significant threat comes from internal employees." Organisations need to train staff in IT policy and what constitutes acceptable behaviour, so that if something does go wrong they can indicate they took reasonable steps.
Warrilow will tonight be giving a presentation on "IT Security: Governance demands diligence. How vulnerable are you?" for Sun Microsystems and Macquarie Corporate, a managed security company.
Here's a tip...
How about lining all of the users up against the wall and shooting them? After all, its they who open the unknown attachments in email. Its them who email work to home, which due to it being a "home pc", tends to be less secure than the internal network.
No-one in the world is safe when a new exploit is discovered. Just because a lot of companies insist on using products that have weekely exploits discovered, with patches taking weeks, if produced at all, it doesn't mean the ISP's should be held accountable.
Should we hold the OS manufacturers accountable? Some seem to think we should, especially when we start looking at track records.
Ultimately it comes down to IT management. If you chose a high-risk product, have untrained/incompetant staff, or just dont keep up to date, it's YOUR fault.
Bitter pill to swallow, yes, but listen to all your staff, not just the toadies who kiss your butt. Its often the arrogant, somewhat cynical ones that have the better ideas.
Don't force someone else pay for your mistakes.