For all their experience, training and preparation, the extent of the malfeasance of today's hackers continues to catch business and IT executives off guard with alarming regularity. Yet despite conventional wisdom that organisations can't just spend their way to better security, it appears companies in Australia are trying to do just that.
Recent market share figures from Gartner found Australia's IT security market was worth $A1.9bn in 2013, up 12.2% over the previous year. That's the fastest growth rate in the world, compared with an 8.7% increase in IT security spending worldwide.
Whatever the spend, the hacks keep on coming. In February, the country's Department of Immigration and Citizenship went into damage control mode after a file containing confidential details of more than 10,000 asylum seekers was posted on a publicly accessible website.
Such high-profile examples of data compromise are becoming ever more common in Australia. They will become more problematic as the country this month sees the introduction of strict new privacy laws that threaten penalties of up to $A1.7m for breaches.
Vendors have responded. In 2013 alone, the likes of Palo Alto Networks, Dell SecureWorks, Mimecast and Eset opened new Australian offices to tap into the exploding market. Rapidly growing cloud security startup CipherCloud found demand in Australia was so strong that it fast-tracked the opening of its office in what has become its fastest-growing market.
PwC's Global State of Information Security 2014 report corroborates the trend. On the back of a 25% year-on-year increase in detected security incidents, the survey found that security budgets in the region averaged $A4.8m in 2013 -- a 51% gain over 2012.
Australia's security gold rush is on. Yet with such a spending increase comes the logical next question: is this increase due to a market proactivity on the part of Australian CEOs and CIOs -- or is it because the ongoing flood of high-profile data breaches has reminded them just how far behind they are when it comes to security spending?
Graham Ingram, general manager of cyber crime response organisation Australian Computer Emergency Response Team (AusCERT), believes every new notch in hackers' belts is adding that little bit more incentive for Australian executives to speed up their investments.
"There are a few things lurking out there that are hiding in the minds of CSOs and CIOs," he says. "These are where you can come undone. Some of the high-profile credentials being posted -- LinkedIn, Adobe and more -- are making people very nervous. CEOs are saying, ‘If we get done, let's make sure we can at least say we had adequate security'."
That's a fatalistic perspective from a group that's supposed to be more about leadership than quiet inevitability. But it also reflects the growing reality among the security community, which generally holds that most companies have already been hacked -- even if they don't know it yet.
Ty Miller, a long-time security expert who runs Australian penetration testing and security consultancy Threat Intelligence, believes the growing string of high- profile breaches is "really hitting home" for Australian companies as they watch hackers get arrested and competitors dealing with cyber crime incursions.
"Organisations are starting to realise that they're fighting a losing battle with security," says Miller. "They've been using a traditional vulnerability-based risk management framework and focusing on patching to prevent vulnerabilities. Now they're struggling to keep up with that and finding that all this patching isn't really accomplishing much."
The natural response, Miller says, may be what accounts for some of the uptick in security spend - ing across Australia. "There is a big investment at the moment, in that we actually have to get our systems up to scratch and retrain our security staff in this intelligence- based security model," he says.
Peter Major, senior manager of ICT security with the government of the Australian Capital Territory (ACT), knows the implications of this shift all too well. As a security specialist whose purview includes ensuring the security of ICT services delivery across the capital city's judiciary, executive, legislature and local council services, Major says ongoing security threats are "something we have to think about and be on top of".
With more than 200 externally hosted websites, 300 internal websites and 30,000 endpoints -- not including 70,000 students at the vocational Canberra Institute of Technology -- Major has given up on the idea of building a boundary to protect an internal network that's not even really internal any more.
"Vulnerabilities are being discovered at an ever-increasing rate," he says. "As security pundits we are fighting an endless battle against a well-armed enemy. It's a costly battle, and one that we are not winning."
This drives CSO mission statements, he says: "Coupled with the government's move, in bits and pieces, to the cloud or to outsource to partners -- and its search for efficiencies and large cost savings in delivering service -- I have to deliver low-cost, effective security solutions."
All this must happen under the umbrella of the updated Privacy Act -- which, Major admits, scares him. Encryption is his answer to the challenge, with an ongoing initiative looking at ways to encrypt data at-rest across the ACT government's various ICT systems. Different applications can use different encryption keys, further limiting exposure to potential breaches.
"My Nirvana is to have one copy of an application that presents accurate and timely information to a predefined number of customer sets," says Major, "and to present a single interface with appropriate data sets being based off appropriate authentication. Encryption is the be all and end all of everything -- if the network is compromised, all they're going to do is get a look at nothing."
This perspective reflects a growing trend, as the focus of IT security efforts moves from intrusion prevention to damage minimisation. In Australia, as elsewhere, much of this effort revolves around the inexorable rise of mobile devices. Recent figures from the Organisation for Economic Co-operation and Development show that Australia's 23 million people had 25.94 million mobile broadband subscriptions, delivering a 114% penetration rate -- the highest in the world.
The sheer volume of that threat is hitting hard in Australia, where the security pressures of increasingly popular bring your own device (BYOD) programs are putting CEOs under greater pressure to placate employees and CSOs under greater pressure to placate CEOs.
"The dominance of mobile and smart devices is now starting to show in some of the security implications of those devices as well," says Ingram. "I don't think we've got a lot of systems in place to deal with this other world. We've got incident response and reporting and so on, but they're really built around systems and networks. They're not necessarily about smart devices.
"So, there's a big catchup ahead. We're always catching up on security; that's the nature of it."
Look beyond ROI
The quest for those solutions, however, is still driving some hard truths in Australia. And that truth is simple -- many Australian companies are still approaching security as an investment that requires adequate return on investment (ROI) before expenditure can be approved, as preventive expenditure simply is not being prioritised.
PwC's survey reinforced this idea, with 42.6% of respondents citing economic conditions as the most important issue driving their company's information security spending. But when asked how significant an obstacle their executives were, 25.1% of Asia-Pacific respondents said their CEO, president, board or equivalent was a major obstacle, 18.3% blamed their CIO, and 19.2% blamed their CSO or equivalent.
This, then, is Australia's position coming into a period that is, like every year is these days, expected to see the most intense barrage of cyber security attacks ever. Funding is more available in the Asia-Pacific region than the rest of the world, yet executives continue to be less willing to spend it in Australia and other countries.
It's an attitude that has to change over time, but Miller believes Australian companies are finally beginning to overcome security inertia to get their acts together. "It takes probably a decade for a major shift like this to happen," he says.
About the author
David Braue is an award-winning IT journalist based in Melbourne, Australia. He has covered security and other enterprise technologies since 1995.