Published on the 20/06/2013 | Written by Newsdesk
While only one in ten of the global 2000 enterprises employs vulnerability testing, the practice is almost non-existent in Australia…
Vulnerability testing is increasingly being seen as a tool to alert senior managers of global businesses to the full extent of security risks facing their organisations. According to the chief security officer of Websense, Jason Clark, who is currently in Australia, subjecting employees – including company CEOs – to fake spear phishing attempts alerts staff to the risks of thoughtless internet use.
“A very high percentage of CEOs click (on the phishing bait) the first time. But we can get it from 90 percent to 8 percent, because you’ve made it personal. They understand what spear phishing is,” he said.
Clark said that the technique was starting to be adopted internationally with about 10 percent of the Global 2000 businesses now using vulnerability testing.
He said that although many organisations invested in conventional security technology such as firewalls, and achieving security compliance with industry standards, “people are your biggest vulnerability”.
Australian businesses are however behind the eight ball according to Alastair MacGibbon, a director of the Centre for Internet Safety at the University of Canberra and CEO of CREST Australia, an organisation which certifies legitimate “white-hat” hackers. He said vulnerability testing was rarely seen in Australia, even though “changing user behaviour is one of the big issues,” in terms of achieving more comprehensive organisational security.
MacGibbon and Clark, speaking at a security roundtable in Sydney this week, said that there needed to be more board-level engagement with security issues. At present they said that too many companies saw security as something which could be dealt with by ticking a compliance box.
MacGibbon said that in the minds of most CEOs computer security was something akin to global warming – they knew it existed, but weren’t sure how to deal with it or how devastating it might prove.
Clark said that such was the extent of cyber security threats to business continuity that chief security officers needed to demand quarterly, even monthly meetings with CEOs, to discuss the rapidly evolving threat landscape. The anticipated arrival of mandatory breach disclosure in Australia (legislation is currently before the Senate) was an important step toward encouraging more senior executive and board-level attention according to MacGibbon.
However he suggested that real progress might not be achieved before CEOs faced a “combination of litigation, the law and boards saying ‘this (issue) rolls up to us’.”
