7 November 2001
PRESS RELEASE

NISER ICT SECURITY SURVEY FOR MALAYSIA 2000/2001
VIRUS ATTACK INCUR HEFTY FINANCIAL LOSS

Kuala Lumpur - The National ICT Security and Emergency Response Center today announced the result of its first NISER ICT Security Survey.

In April 2001, the "NISER ICT Security Survey for Malaysia 2000/2001" was conducted, involving 205 organisations in Malaysia. The survey covered 205 organisations from government, finance, retail, manufacturing, services and telecommunication sectors. The aim of the first survey was to gauge the security awareness level among organizations. The other purposes of the survey are to obtain information below:

• Types of computer security problems encountered by corporations in Malaysia.
• The measures taken to overcome the security breach.
• The future plans of corporations to address computer security issues.

Highlights of the NISER ICT Security Survey for Malaysia 2000/2001 involving security breach and trends include:

Sixty eight percent of all respondents report experienced computer security breach in year 2000.

Fourty seven percent experienced virus attack. One hundred thirteen of the respondents were able to quantify their loss worth RM 239,000.00 due to virus attack.

One hundred thirteen of the respondents were able to quantify the loss due to computer theft to about RM298,000.

Thirty three percent of the respondents claim employee's abuse in the forms of inappropriate use of e-mail system, downloading pornography and pirated software another source of breach. 113 of the respondents were able to quantify the total loss of about RM 26,000 due to employee's abuse.

Only 27% of the 108 respondents who experienced security breaches, made the effort to report to other third party or authorities.

The imminent trend of Malaysian organisations towards adoption of e-commerce will see a higher crime rate in this area. In year 2000, we also saw incidents using fake-websites of established organizations, used to spread malicious codes. Once the end user PC is infected with the malicious code, the password of the Internet account is sent out to the perpetrator.

The survey highlights other forms of security measures applied by organizations which include:

Ninety two percent of respondents have computer security system in placed since 2000.

One hundred of the respondents were able to quantify the expenditure on the ICT security measures within the organization, amounting to an average of RM 120,000.00.

Only 59% of 189 respondents attribute their security measures on anti-virus solutions and 47% on Firewall solutions.

Despite the availability of Public Key Infrastructure (PKI) and the law that govern it by the government of Malaysia, the utilization of this infrastructure is notably the lowest in both public/finance (8%) and private sectors (5%).

The average amount is a relatively small spending compared to overall IT spending of RM7.6 billion recorded in 2000 (Source: The Star, May 8 2001). Many are unable to quantify the loss resulting from incidence, based on loss of business opportunity, organization image and reputation, resources spent in rectification and recovery of business operations.

Nevertheless, the above defense system is relatively preliminary. With the emergence of more sophisticated virus and Denial of Service attacks, a stronger security system such as the usage of firewalls and multi layer security systems is deemed necessary to have greater protection. Anti-virus is a must for every computer system and no more a luxury.

Hence, there is a need for further education to Malaysian organisations not to undermine the severity of security breach. It is also important to provide assistance to organisation in the event of computer security breach. For instance, the possible reporting authority. The purpose of reporting would be to obtain assistance from organizations specializing in computer security in order to speed up rectification and recovery procedures.

The practice of having third party security audit or certification is still relatively low. Organisations need to show their commitment towards security and to have a sound process of validation of security implementation. This indirectly reassures consumers towards the safety of conducting transactions with the organizations and further establishing trust relationship with consumers.

With the current state of vulnerable operating systems and applications in abundance off the shelf and off the Internet in default setup, the current state of the Malaysian organization's network is highly vulnerable. Malaysian organizations will require to take a closer look at their business requirement and possibility of a business strategy overhaul if they thrive to exist in the next few years in online business.