Report security breaches, Niser urges
13th April 2004 (The Star)
By EDWIN YAPP

PETALING JAYA: Malaysian companies are reluctant to report breaches and incidences involving their information systems to the relevant authorities, according to the National ICT Security and Emergency Response Centre (Niser).

Cyberthreats that go unreported include virus attacks, spam, system abuse by employees, and denial-of-service (DoS) attacks.

Niser director Lt Col Husin Jazri said that according to a 2001/ 2002 ICT security survey the centre conducted, 84% of respondents said they would not report security breaches to relevant agencies such as the police, insurance companies, Internet service providers (ISPs) or security bodies like Niser.

"This trend unfortunately has not changed since 2002," he told delegates in his address at the Cisco Security Summit here yesterday.

The summit brought together multinational security specialists, including those from Cisco Systems Inc, to discuss various industry issues.

While acknowledging the need for companies to keep their security breach reports confidential, Husin said they did not need to give away comprehensive details of the breaches encountered.

"The information could be released in a 'sanitised way.' We only need to use select information to formulate policies and strategies to combat security threats," he said.

He said the hesitation to report security breaches was alarming because in order to curb cyberthreats, companies would need to work together with the relevant authorities.

"They should consider the 'big picture' perspective of how these security threats affect the country and other companies, and not just analyse them from a 'micro perspective' or how the threats disrupted their own companies.

"If these companies do not report the threats and incidences they have faced, agencies like Niser and the police would not be able to build a 'macro view' of things and this would make it much harder to combat cyberthreats," he said.

Encouraging cooperation

Husin also said there needed to be greater cooperation between the public and private sectors, and communities, in fighting cyberthreats.

He said the borderless nature of the Internet and the threats associated with it required a cooperative model instead of a bureaucratic model.

"Niser advocates the creation of a formal and a semi -formal platform for information exchange and cooperation to deal with cybersecurity issues.

"In today's world, security breaches spread at an exponential rate. Speed is of the essence and a well-organised forum to exchange information would help those under threat to deal with them," he said.

Husin also said more companies needed to develop a close relationship with international communities to help them battle security threats.

"A closed door policy would be ineffective," he said.

Husin said good cooperation also involved increasing the awareness of security amongst the public and private sectors, and the strict adherence to international security standards.