Risk Analysis: First step to protection
Both Smith and David agreed that the initial step for Australian organisations looking to implement an effective security solution and protect themselves from cybercrime is to undertake a comprehensive risk analysis process.
"Businesses should first and foremost design an enforceable security policy," says IDC's David. "This should be based on risk management principles. While the business can not totally eliminate all risk from breaches in security, it can mitigate areas where it will have most damage to corporate reputation, assets and revenues."
Smith stated, "Security needs to be taken seriously and have buy-in from the executive level down. A Risk Assessment [should be done] to determine the likelihood of compromise and the associated risk (and cost) to the business." According to Smith, this Risk Assessment report is important to help management determine the potential exposure of the business and justify expenses required to cover those problems.
Part of the problem in the past for businesses has been the lack of a risk analysis before going live with a particular technology, an issue that Smith believes has been downplayed by companies and IT consultancies in Australia. "The tendency in the past has been to throw a technology at the security problem without even defining what that problem is," said Smith.
One aspect which IDC's David believes is underestimated in the Australian market is the fact that most organisations only implement a security solution after their systems have already been compromised. "There is a dangerous complacence when it comes to online security in Australia," she warns.
Nevertheless, InterSect Alliance's Purdie suggests that one of the major difficulties with implementing a proper security policy in Australia businesses involves inappropriate technical solutions. "[The biggest problem is] without question, understanding how to map organisational objectives to security counter measures, and how to effectively apply and manage such countermeasures," says Pudie. "Often, the reason that an ineffective security solution may be chosen is that communication was poor, and an adequate understanding of the organisational priorities was not achieved in the risk analysis process."
