Australian IT professionals are overwhelmingly supportive of penalties for company data breaches according to a new survey from security firm, Websense.
The survey of 100 Australian security professionals found that 98 per cent of respondents believed that the law should address serious data breaches that expose consumers’ data loss.
Of those, 59 per cent said fines were an appropriate way to enforce the law, while 65 per cent believed mandatory disclosure legislation should be implemented in Australia.
Of those surveyed, 60 per cent said there should be some form of compensation for consumers’ affected by data breaches and 23 per cent advocated arrest and jail sentence for the CEO or board members.
Websense engineering manager A/NZ, Bradley Anstis, said the results reflect the frustration many IT managers experience when attempting to impress the importance of IT security on senior management.
“Security professionals are seeing mandatory disclosure as a way of opening the boardroom door,” he said.
“They feel it will get them a seat at the table because the board will want to discuss this and the impact for the organisation.” Respondents felt companies not taking action against data loss and theft have it as an agenda item, but it’s not yet a high enough priority to the tune of 38 per cent.
Close to half (41 per cent) say the CEO should hold ultimate responsibility should a breach occur.
The shift to the Internet of Things (IoT) has It managers concerned, 72 per cent believe the advent of IoT will make companies even more vulnerable to data theft. It seems that getting that quick answer back when the boss calls still trumps security concerns. Nearly three-quarters (64 per cent) of respondents said employees would connect to unsecure Wi-Fi to respond to an urgent request by the CEO or company executive; with even 42 per cent of security professionals saying they would do so themselves.
As much as data theft disclosures make good fodder for security companies and journalists alike, it appears to be inadvertently helping companies address the issues, with 62 per cent of security professionals reporting publicity has helped other companies create a case for budget, focus and resources.
However, 24 per cent said headlines have hindered this as they make companies feel powerless to protect against these attacks. Anstis said, “As an industry, we need to be talking about security in language that board members can understand. That means talking about a company’s risks and the costs of mitigating those.
“These discussions must take place in a way that they can be as effective as possible without laying blame.”