Ignorance is not bliss for IT security

Information Technology Contract & Recruitment Association
By Julie Mills, CEO, Information Technology Contract & Recruitment Association
Monday, 07 September, 2015


Ignorance is not bliss for IT security

Clearswift, a multinational information security company, recently published a survey which found that 88% of businesses have experienced an IT or security incident in the preceding 12 months.

This may seem shocking to some, particularly in light of increased regulation by the Australian Privacy Commissioner and a greater global awareness of the dangers of ‘hacktivists’ (think Edward Snowden), but for those who work at the heart of IT management, this comes as no surprise at all.

This is not to say that privacy and data retention changes have made no difference whatsoever in the enhancement of business security protocols. It is undeniable that most companies have strengthened (or at least thought about) their protections against external threats such as viruses (remember the Heartbleed Bug?), malicious users and malware.

But alarmingly, 73% of the incidents were attributed to employees, ex-employees, contractors and partners — insiders. This is a sharp increase from the previous year, where only 58% of IT or security incidents were found to be caused by workers.

What this reveals is that companies are neglecting to treat the biggest security threat to their business processes: ignorance. Most of these workers are not acting maliciously, or intending to cause any problems. Rather, they are people who aren’t entirely clear about: which kind of confidential information can be kept and which needs to be destroyed; which kinds of threats exist in the workplace and how to prevent them; and what the company’s security protocols are and how to implement them.

These are straightforward, fundamental issues that can be easily cleared up. The true problem arises when the company itself is not sure about how to treat confidential information. The key question is, “Does your company have a positive privacy culture?” In asking this question the issues that need to be considered are:

  • Handling, holding, assessing, correcting and destroying information all requires clear policies and procedures.
  • Direct marketing, cross border and cloud data also require policies and protections.
  • Investigations are onerous and civil penalties apply in Australia: $220,000 for individuals and $1.1m for businesses.

Privacy Awareness Week, an initiative of the Asia Pacific Privacy Authorities forum — to which federal and state regulators in Australia and New Zealand are all signatories — was held in May, and it provided an ideal opportunity for everyone to consider privacy.

The Week emphasised the need for organisations to embed privacy practices into business-as-usual processes, and for individuals and the community to think about how to protect privacy in their everyday lives. It is worth noting that 1 in 10 Australians have reported misuse of personal information — unfortunately technology is the enabler, so there is a heightened responsibility for all of us to be diligent.

Over the past two years, the Information Technology Contract & Recruitment Association has been active in providing information and resources to the contracting and recruitment sector on the application of the Privacy Act in their businesses. The figures I’ve quoted indicate communication to business still has a long way to go.

Related Articles

Is the Australian tech skills gap a myth?

As Australia navigates this shift towards a skills-based economy, addressing the learning gap...

How 'pre-mortem' analysis can support successful IT deployments

As IT projects become more complex, the adoption of pre-mortem analysis should be a standard...

The key to navigating the data privacy dilemma

Feeding personal and sensitive consumer data into AI models presents a privacy challenge.


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd