International data security expert John Kendall, who has worked for Unisys for more than 32 years, says while companies are often aware of threats posed by hackers, malicious staff members and even employees who make mistakes, very few take steps to ensure their systems are safe enough.

“They’re very much aware because it’s right in their face but at the same time if you look at who’s doing something about it, the percentage is very small,” Kendall says, who is the security program director for the Asia Pacific.

Unisys last year surveyed 599 critical infrastructure providers, including 49 from Australia and New Zealand, and 86 per cent of those in the Asia Pacific reported a security breach which had led to the loss of confidential information or the disruption of operations in the previous 12 months.

Half of those breaches were attributed to an internal accident or mistake, and 21 per cent were from negligent insiders. Almost half were the result of insecure networks and a third were caused by unmanaged mobile devices or social media breaches.

Alarmingly, only six per cent of those companies had provided cyber security training for their staff.

Kendall is staggered that so few companies provide training on the importance of data security.

“No wonder (companies are) having a high percentage of security breaches, not a lot is being done,” he says.

Data security and confidential employee information, whether it be salary details or personal reports, have been cast in the spotlight over the past 12 months with significant international hackings, including a major breach at Sony in December.

The federal government in January announced it would review its cyber-security strategy for the first time in six years, including considering legislative changes to match the global surge in cyber crime.

More than 500 cyber crimes are being referred every week to a new government reporting network, and more than 3000 have been under investigation since December. Most of these are related to fraud.

Privacy hawk John Stewart, who is the chief security officer of US-based Cisco Systems, is on the panel reviewing the nation’s cyber strategy and late last month said law reform would be necessary following the review.

He said there was a tension under the current legislative framework between consumer protection laws obliging businesses not to share information, and national security requirements that may require information sharing between business and government.

“It creates a conflict in terms of what business operations look like, versus what government operations want,” Stewart said.

The announcement of the cyber crime review came after North Korea was blamed for hacking into Sony’s computer network, accessing the personal details of 50,000 staff. In the US there have been security breaches at major retailers including Target, Home Depot and ice cream giant Dairy Queen.

Kendall knows cyber crime is widespread, perpetrated by hacktivists, disgruntled employees or careless staff sharing confidential company information on social media or via emails.

“People need to guard against home error, and they need to guard against malicious actions and protect against them,” he says.

The threat is becoming more significant, he says, which can also be attributed to the rise in portable devices and access to business networks through widespread wifi connections.

“People at home use their devices for internet banking and messaging, you’re bringing them from work to home,” he says. “It’s important for companies to protect that information on that device that belongs to your company.”

While Kendall says a 2011 Unisys study found 85 per cent of Australians would stop dealing with a company if they were aware their personal information had been accessed by an unauthorised person, and 47 per cent would consider taking legal action, Australian companies are reluctant to pay for tighter security.

“It’s like selling insurance, nobody wants to pay the premium.”

He recommends a five-pronged attack to tighten data access and security, including taking a wholistic approach to system access and not just using firewalls or passwords – instead using fingerprint recognition and other tools.

Kendall says companies need to take internal threats more seriously, and ensure not everyone has access to data. That includes monitoring who is accessing information they should not, and whether it is occurring after hours.

He also recommends data encryption, and implementing strong security policies to guard against internal and external threats.

Data analytics market leader Quantium’s director Adam Driussi says with the rise of the internet and improving information technology systems, data is exploding.

“By 2020 they’re expecting the amount of data in the world to grow ninefold ... all of that is happening because of the internet,” Driussi says.

Data is being tracked and traced, and hundreds of companies are unaware of who actually has access to it.

Companies are also looking for additional staff to keep their information safe, as it is no longer the responsibility of HR professionals and IT managers. Specialists are being increasingly recruited to ensure systems are safe.

Privately owned IT services and data centre business Chief Operating Officer Simon Green says companies need to also be aware of how they are storing their data, and who may have access to it.

“Five years ago storage was small in organisations because there was only information being stored around applications,” Green says.

“We had information stored centrally or in remote offices and then we had laptops. Then there was this proliferation of mobile technology and the ease and flow of our information could come in and out of organisations.”

Green says companies need to question what levels of security they put in place, whether it be firewalls or biometrics.

He says more companies are spending to upgrade controls as security issues escalate.

In protecting other companies’ data, Green says Interactive runs a 24-hour data centre with card security, as well as thumb print recognition. This ensures only the right staff have access to the right areas, given that internal threats from disgruntled staff can often be more dangerous than hackers. The company also has back-up power and redundancy links to ensure systems run at all times.

There are also risks associated with how staff use external devices, such as drop boxes and USB sticks, when sharing data.

“Cyber security is critically important, it relates to brand risk, financial risk. It can affect everybody, whether it happens at a small company or a big company,” he says.

“It’s human resource data, customer data – if someone has my credit card information, if you’re a five-person business, are they taking responsibility on behalf of you?”

Green says companies now keep their data on devices and no longer in filing cabinets, and many fail to recognise how secure it needs to be. Even if they store it on the cloud, he says, they are most likely unaware of who can access their information.

And those who store data on international servers can also be at risk, because governments in those countries can often access that information.

“It’s important to know who has access to the information in your organisation, what your security settings are, and have clear policies and guidelines about what you can and can’t do with corporate information,” he says.

Interactive’s Ten Commandments of Cloud Computing

1. Is your data managed on-shore?

Hosting and managing data in Australia provides businesses access to a local customer service centre with real people offering 24/7 support.

2. Is your data protected?

If your data is hosted in in another country their governments could view it at any time. Storing data in Australian-hosted exchanges ensures it is protected by Australian privacy laws.

3. Do you know your provider?

Does your provider have a reputation for innovation in technology, are they unique?

4. Does your provider know you?

Having a dedicated account executive that knows your business inside and out is essential to successful data management and can develop personalised business solutions.

5. Are you paying for more than you need?

By using a service that is consumption based you pay by the mailbox (which should include Microsoft licensing), there is no capex spend and accounts can be added or removed as your business expands and contracts.

6. Are you offered migration support?

Choosing a Hosted Exchange provider that also manages the migration of data takes the stress out of transitioning to a new platform and ensures no downtime for staff or business.

7. Has your provider invested in enterprise?

Cloud-based technology providers are required to meet strict enterprise design criteria and only use authorised Microsoft, IBM, Cisco and NetApp software and hardware.

8. Is your Hosted Exchange secure and resilient? Has your provider invested in SAI Global certifications and is your exchange system 99.95 per cent resilient?

Your Hosted Exchange requires redundancy at every level with automated failover, enterprise class firewalls and state-of-the-art anti-virus protection.

9. Does your provider empower you?

Hosted Exchange is meant to simplify the complexities of cloud computing, including accessing and managing the administration of your platform.

10. Have you planned for the future?

Your provider should be in regular contact relating to technology advancement, changes in innovation and market trends, and how your business may benefit from these.

More related stories

Careers

Numbers game the big trend

JOBS in data management and analytics will be a massive growth area over the next decade.

Read more