Looking at some international humiliations, such as the theft of the Australian Security Intelligence Operation's (ASIO) blueprints for its new building in Canberra, and the US military's loss of its blueprints for the new F-35 Joint Strike Fighter (which Australia has agreed to buy another 58 planes for $12bn), both were hacking jobs originating in China. Chances are, if someone really wants to get at your information, they can.
New privacy laws With such a variety of non-technical threat vectors, how does a security manager keep up — especially now that Australia's new privacy laws mean that a company can be harshly fined, and (presumably) the staff member sacked in the result of any breach?
Telstra was recently fined a hilariously small amount, $10,200, for breaching the privacy of 15,775 customers. Even under the new amendments to the Australian Privacy Act 1988, the maximum fine that can be delivered is just $1.7 million — chump change to a corporation of Telstra's size.
Most of those at the ARN table seemed to agree that the financial imperative of the new amendments was unfairly weighted against small businesses, but it was agreed that the reputational damage is where the law might have more sticking power.
"The majority of our clients aren't yet as proactive as they need to be, but with a compliance and regulation bodies it is raising that profile a bit. And it is the old adage of compliance is binary and security isn't. Security is a process and it's an ongoing process and compliance is point in time," Dimension Data's Ettridge said.
The biggest problem is the tight nature of the market — resellers are making promises they can't keep to pull in the clients, and the clients themselves have far less money and resources to expend on security. The key change has been the compliance push by the government (including local government), by refusing to work with non-compliant partners. This is not infecting the private sector. This means businesses who had been dragging the chain are now panicking to get up to speed, be it PCI or ISO-27001.
"We had a big customer say to us if you guys don't follow this compliance, sorry we can't do business with you," Content Security's Abdilla said.
"You've got to follow the compliance; because I believe state government like New South Wales' police and transport - they've all started to do 27001. It's going to go down. It's going to be pushed down to all the other bodies, probably down to local area councils as well."
Case for managed security services
It's not just tough for smaller entities, but the bigger players too. The biggest retail hack in US history, the 2013 Thanksgiving hack of Target's servers, which saw malware stealing credit card data from all 1797 of Target's stores saw the CIO fired and the company's share price suffer.
Sign up for Computerworld eNewsletters.