Business will have to find a solution to poor IT security standards within Australian companies because government regulation will not be effective.
According to the National Office for the Information Economy (NOIE), business imperatives will drive security awareness within Australian business, particularly insurance and liability issues and stock exchange regulations.
Speaking at a recent Symantec security roundtable, NOIE regulatory and access general manager Tom Dale said the business community can provide the best outcome for raising security awareness among local companies. Dale said companies are still not fully prepared for security attacks as too much emphasis is placed on finding a technology-based solution when the focus should really be policy driven.
"Eventually the guidance for those firms will come from places like insurance companies or areas where there is concern about liability and standards," he said.
Policy manager for business lobby group Australian Business Limited, Paul Orton said companies are poor at risk management.
"I'm not just referring to the IT area here, but the whole gamut of regulatory and compliance risk management.
"Some firms lack the capacity to make judgements about what the level of risk is and the appropriate response," Orton said.
Referring to a recent Forrester Research report (Computerworld November 13, p1) which claimed companies will waste billions of dollars purchasing the wrong security products, IT Audit and Consulting CEO Stephen James said a lot of investment is reactive because of lack of policy.
Apart from the necessary technology, James said, all companies should have an incident response plan.
"Technology is not the primary issue when it comes to security; it's just a tool; I think a lot of CIOs are unaware of the real impact that a breach might have, which is why they are not always prepared," he said.
"Most Australian organisations have some sort of preliminary defence like a firewall, but when you're inside the organisation the same controls are not there.
"So, companies should be really assessing internal controls."
Symantec's senior group market development manager Michael Allcorn said investing in company security is 80 per cent planning and 20 per cent building, but most companies do this in reverse.