Computer Crime Research Center


Crusty security no protection at all

Date: November 16, 2004
Source: The Age
By: Adam Turner

Internal fraud is the most underestimated security threat to Australian organisations, warns a former federal computer crime investigator.

The duties of those with access to financial systems must be better segregated to prevent them abusing access rights and their knowledge of the organisation, says Neil Campbell, Dimension Data national security practice manager, and former member of the Australian Federal Police computer crime team.

Fear of external electronic attack is leading organisations to neglect internal security, Campbell says.

Organisations tend to focus on outside attacks against their perimeters, he says, and fail to safeguard from within. "Their network might have a crunchy shell but it's soft inside. Now you have business partners and customers coming into the network, so you have to take a layered approach to security."

Risk management is more important for dealing with internal and external security than purely technological measures, Campbell told executive teams around the country as part of a security roadshow, including Dimension Data, Cisco and Microsoft, over the past two weeks.

"Risk management involves identifying assets that are critical to the business, identifying the threats to those assets, the likelihood of the threats being realised and the impact of that," Campbell says.

"Through that you determine a threat matrix and then how best to mitigate the risks. It could be that you implement some technology or it could be that you change a process."

A healthy security culture begins at the executive level and must come from the top down in the form of risk management, rather than disaster response, says Campbell. Instead of aiming to eliminate "security incidents", organisations should aim to handle them better.

"The one thing I've seen that's make or break about security culture is whether the executive team buys into it," he says. "If they say security is something for other people to worry about, then that attitude permeates through the whole business.

"A reactive approach leads you to spend a lot of money after the incident and the chances are you'll overspend because you're in a reactive mode."
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo