Andrew Waterhouse, principal security consultant with Pacific Research, says the principal threats to the organisations the company works with in its security consulting role are, in rough order of importance: e-mail borne viruses (the absolute number one, according to Waterhouse ) viruses introduced by other media Web site hacking vulnerabilities employee fraud and malicious acts due to disaffection"While there have been stories in the US media about rival organisations hacking each other, we have not seen any actual evidence of this in our work, and suspect it is overrated as a threat," Waterhouse says. "Most, if not all, large organisations understand which assets are competitor-sensitive and take suitable precautions to protect the privacy of such information."

Waterhouse believes leakage of confidential information is much more likely to be of the low-tech variety. "The only way to close off that threat would be to close all bars and golf courses," he says.

That makes the issue not so much how you protect yourself in a technical sense but a behavioural question, says Defence Department head, IS division Patrick Hannan. He says the Defence Department must protect itself not only from competitors in the form of foreign governments but also "people with significant commercial interests, lobby groups and loonies".

"The real problem," Hannan says, "is how do you actually inculcate into a large organisation the knowledge that there really are risks associated with the rip-off of intellectual property, understanding of other people's marketing opportunities, even pricing tendered?"

To protect itself from such threats, the Department builds security into its architectures, the communications layer and the desktop. "That doesn't mean that security isn't a problem because it's all based on people and behaviours. But we have had a long history of security. Those things are evolving, both in terms of our understanding of some of the threats and our investment in responding," Hannan says.

However, in the corporate world the extent of the threat is far less easy to identify, and action in some ways tougher to take.

Like Waterhouse, Peter Sandilands, regional manager, Australia and New Zealand, of Internet security specialists CheckPoint, tends to view claims of a growing security threat from competitors software technologies with scepticism.

Sandilands agrees that very large public organisations may well be facing an increasing level of industrial espionage. For the rest, he says, the threat of direct industrial espionage is far less significant than that posed by disgruntled about-to-become former employees taking the customer lists with them.

On the other hand, he concedes that where hacking attempts motivated by industrial espionage do take place, they are likely to be done by the "seriously good guys" and will by and large go undiscovered. He contrasts this with other hacking efforts, including vandalism and denial of service, which are meant to be obvious.

"The really significant issue with industrial espionage is in general it is not going to be detected. [With industrial espionage] you are not going to use an amateur, you are going to use a professional," he says.

"You should be taking steps to make sure you can detect intrusion as part of any security policy," Sandilands advises. "It comes down to a risk assessment thing. This is all about business issues, not technology. If you believe that you are at a high risk of industrial espionage, then obviously you need to do more to monitor what's happening. If you are at a low risk of industrial espionage, you don't need to worry that much. It really comes down to the policy that is defined."

However, eSec's general manager of security services, Andrew Tune, says Australian organisations are spending a fraction of what their American counterparts are spending on security. And he warns their lack of action may stem from a false sense of complacency. "Being in Australia may protect you from the American gun problem or American drug problem, but the Internet doesn't really respect borders. I think people who are putting together security budgets in Australia are doing so with a substantial false sense of security."

Tune says while it is absolutely true that competitive attacks are increasing, so are attacks from hackers and serious compromise from inside the organisation. In 1999, the Australian Computer Emergency Response Team, AusCERT, reported 8100 or so compromises. Last year the figure went up to 21,000. "Saying that more attacks are from competitors contains virtually no information. Attacks of all kinds are increasing and doing so at a dramatic rate, and corporate Australia is really woefully unprepared," Tune says.

Glenn Miller, MD of Sydney-based B2B distributor of IT security and communications software Janteknology, agrees the general state of Australian IT security is pathetically inadequate, largely due to a mixture of apathy, complacency and "culpable ignorance". He says the situation is perplexing in view of irrefutable evidence of the high risks.

"Generally, Australians have tended to adopt a laid-back approach to security, which may come from the historical perspective of our geographical isolation - we are too far away for anyone to bother. Clearly, in today's Internet environment, however, there is no such thing as geographical isolation," Miller says.

"Australian senior management also still persists with the view that ‘computer security' is an IT problem. This is at best a dangerous view because the reality is that information security is a very real organisation-wide security problem. For the majority of businesses today, IT systems are the heart of the business operation."

Miller claims to have taken a number of calls in a single fortnight from large local corporates in the financial, manufacturing and accounting sectors believing they had a "technical problem". Investigation subsequently showed they had, in fact, been the victims of hacking attacks.

"The worry here is that they did not even think it might be an attack, let alone act accordingly. In some cases they did not even know where to start the process. In most of these cases, the solutions were, however, relatively simple. We managed to save tens of millions of dollars for one customer, but in every case the organisation suffered significant financial loss from these attacks. While no one necessarily expects an IT manager to be a security expert, lacking a basic working knowledge [of security measures] really is culpable," he says.

While it might be easy for corporate Australia to dismiss claims from computer security vendors that they are under-investing as merely promoting their own vested interests, the costs of getting it wrong could well be incalculable and devastating.