Hacking for profit, not for a cause

The government-run CERT Australia (not to be confused with the volunteer AusCERT organisation) has released its 2013 Cyber Crime and Security Survey Report, quizzing 135 partner businesses on their security approach and measures.

The respondents in the survey represent a large variety of businesses, with more than half providing contract services to the Government. Assuming the responses are truthful and accurately recorded, the survey is a handy tool to understand their security approach.

Mostly, the survey paints a positive picture. There’s greater awareness around IT security issues, with more organisations applying security standards and frameworks than previous years. There is a lot more crypto being deployed along with certified staff.

But there are also some interesting areas of disconnect in the report.

The two top categories of “cyber actors” that keep security officers awake at night are identified as “issues motivated groups or hacktivists” by 59 percent of respondents, and "organised criminal syndicates" by 54 percent.

Given how much attention the two have received over the years in media - being portrayed as the convenient bogeymen - this comes as no surprise.

While hacktivism and criminal intent feature highly on the breakdown of apparent motives for security incidents, the top issue cited by over 90 percent of respondents was actually labelled “a competitor seeking commercial advantage”. 

The reporting seems skewed when you consider this is followed in priority by malicious damage, personal grievance and using the system for further attacks.

"Competitors seek commercial advantage through intellectual property theft," according to the CERT Australia survey, which labels the activity “cybercrime”.

Unfortunately, the survey doesn’t delve more into identifying who the intellectual thieving competitors of Aussie businesses actually are.

Are they local companies or overseas rivals? The dreaded Chinese hackers or our friends from across the Pacific?

Either way, it’s one area of digital miscreancy that we hear very little about when it comes to security incident tales. How many such competitors were caught and faced the music last year for cybercrimes?

It also suggests that while real, the hacktivist threat is exaggerated, and businesses and other organisations need to focus their security efforts in other areas.

Curious too, and possibly as a result of competitor's activities, is a low willingness to report security incidents, indicating there is still plenty to do to boost information sharing.

CERT Australia notes that only one in three respondents reported incidents to the response team, a regulator or the police.

Of the remainder, 57 percent didn’t report incidents at all and nine percent were unaware whether any were reported, with the reason given that there was no point, or the incident was too minor to bother, or had been dealt with internally.

This is an increase of 13 percent from last year. Unfortunately the survey doesn’t explain why the number has increased – could it be lack of trust in the wake of the Snowden revelations?

Finally, to the 13 percent of respondents in the CERT Australia survey who still use Windows XP and have no plans to migrate to something safer, along with the eight percent who answered “don’t know” when asked if their organisations were planning to move away from the old OS, well... good luck.

CERT Australia use the rather meek “of concern” to describe the lack of care in keeping a basic IT tool such as an organisation’s operating system up to date and secure, when words such as irresponsible and incompetent would be more accurate.

One thing's for sure, the Australian Government shouldn't do business with them until they upgrade.