Security challenge to assess Aussie awareness

The information security levels of Australia's public and private sectors will go under the microscope next year as a result of a National Challenge launched in Sydney today.

Backed by the Federal Government's National Office for the Information Economy (NOIE) and the Attorney-General's Department (AGD), information security specialists Symantec has launched the 2003 information security awareness challenge, to test information security levels, and provide industry and government alike with measurements of their relative strengths and weaknesses.

NOIE and the AGD see the Challenge as an "important first step" towards measuring the threats and vulnerabilities posed by the "human factor" on the security of the National Information Infrastructure (NII). The NII is the national network within and over which information is stored, processed and transported, and comprises the electronic systems that underpin critical services such as telecommunications, transport and distribution, energy and utilities, and banking and finance sectors.

The Challenge is the idea of Melbourne-based workplace education firm Edusec. Simon Hewitt, CEO, Edusec, said the heads of organisations that take up the Challenge may find the results "sobering" as they learn how many of their employees lack awareness and knowledge about computer security policy and procedures, and may be unwittingly careless or complacent. Mr Hewitt said that preliminary tests involving people from a dozen organisations showed that most people answered fewer than half the questions correctly.

The reality for a majority of staff outside IT departments was that information security was not seen as their problem, Mr Hewitt said, adding that few employees read the "usual thick guidelines dossier if even they existed".

Some of the most common flaws found included: computers left on without password protection while their users were absent from their desks; enior managers, including directors, who gave passwords to more junior assistants; a complete lack of knowledge about what to do when a virus hits; a willingness to provide information to persons who had no right to that information; and an inability to continue key business processes in the event of a disaster.

Scheduled to run for one week, between March 3 and March 7, 2003, the information security awareness challenge will comprise multiple choice questions about issues such as document storage and classification, correct use of passwords, virus protection and containment, disaster recovery and business continuity and compliance with privacy legislation. To participate, organisations must register at a cost of about $6 per user. Prizes will awarded to entrants who submit the most correct answers in the shortest time.

In addition, information gathered will be aggregated and returned to participant organisations in order for them to benchmark their relative strengths and weaknesses. Symantec assures that personal privacy will be maintained as the results in this report are linked by the location and business role of collective participants, not by individual.

First prize is a Ford Focus car and second prize is $10,000 cash. The next three prizes are a Sony home entertainment system, a three-day "luxury" holiday, and a Sony laptop computer, respectively.

John Donovan, managing director, Symantec Australia and New Zealand, said "The number, complexity and severity of Internet security threats continue to increase and protection against such threats is not just an IT issue. Every organisation or individual who is connected to the Internet could be unwitting participants in malicious cyber acts simply by not understanding and implementing the appropriate security requirements."

Recently the Attorney General Daryl Williams and the Minister for Communications, Information Technology and the Arts announced the formation of a Trusted Information Sharing Network to protect the NII. The new network is aimed at allowing the owners and operators of critical infrastructure to share information on important issues including: business continuity, consequence management, information system attacks and vulnerabilities, and e-crime to help protect them from mishaps and malice.