According to official figures from the Organisation for Economic Cooperation and Development (OECD), e-commerce - business done solely over the internet - will be worth $300 billion by 2001 and three times that figure just two years later. E-commerce and the internet are rapidly changing the way we all live our lives and do business. The global marketplace is creating new challenges - not least, those relating to risk and security management.
It is very difficult to accurately measure the scale of the problem of e-commerce and internet security. There are many different forms of external and internal attack. These include disruption to services, computer fraud, cybercrime, security breaches, viruses, denial of service attacks and internet credit card fraud, besides simple operator errors and system failures. Recent reports suggest that potential losses are huge.
- 60% of organisations reported having suffered a security breach in the last two years;
- over 30% of respondents did not recognise that their business information is either sensitive or critical, and therefore a business asset;
- of those organisations that have critical or sensitive information, 43% had suffered an “extremely serious” or “very serious” breach, and a further 20% had suffered a “moderately serious” breach in the last two years;
- nearly three-quarters of organisations that suffered a breach they regarded to be “serious” had no contingency plan in place to deal with it;
- very few organisations were able to assess the true business implications of the security breaches they had suffered – but those that were indicated that the cost of a single breach was in excess of £100,000;
- more than half the organisations which have suffered a breach that they consider being their “most serious” do not believe that there is anything they could have done to prevent the breaches they have suffered;
- one in three businesses are already buying or selling over the internet, or intend to start in the near future.
The pressure is mounting for all organisations to recognise the problems and implement good practice to provide at least some measure of protection from such risks. The case for risk and security improvements in the area of e-commerce and the internet is clear; the threat is there for all to see. However, crimes committed by external hackers are not the only danger. It is estimated that organisations face 20% of threats to their computer systems from outside the organisation and 80% from internal sources. Security must be integral to a company's operations.
Internal hackers may be far more invidious than external threats. While firewalls, encryption, digital signatures and other forms of security protection can be used against external hackers trying to break into your system, an insider can render these or any other normal security system useless. Insiders have far greater opportunities to commit crimes without detection, access confidential information and trade secrets to sell to competitors or simply set-up their own rival company using your organisation's customer database and confidential trade and pricing information. An effective trusted operating system integrated with a detailed e-risk management programme is required.
The basic principles of risk management apply to e-commerce and the internet; having assessed the risks, they should be analysed to see if they are applicable to the organisation, not forgetting suppliers and customers. As well as security, there are other risks to consider such as loss of trust, loss of reputation or brand image, market risk and operational risks, including operational performance such as lack of adequate capacity to handle transaction volumes. Exposure to legal liability for the content of e-mail messages, employee rights of privacy and employer rights of access, libel, copyright infringement, breach of confidence, regulations and controls, inadvertent formation of contracts, publication of obscene material and data protection are but a few of the risks that come to mind - but security is the biggest. Without quantifiable security, customers will not use your systems, executives will not support e-projects, investors will not finance the venture and regulators may veto the project.
What is required is a holistic risk-based approach to security, with the development of appropriate risk management strategies that audit and control processes and monitor the impact of new technologies. Analysis of the risks and threats to individual organisations, should include:
Each individual organisation must decide how best it might effectively carry out the required review and analyse the risks that may seriously affect its particular operation. Only in this way can you determine what, if any, further risk improvements may be required. It is a necessary approach. With corporate governance coming to the fore throughout Europe, there is a strong requirement for effective controls to be implemented for all significant risks which can seriously affect an organisation.
Inadequate security is already having a negative effect on the potential growth of e-business in Europe. The inability of an organisation to provide a positive response to the following questions will do nothing to improve this situation:
The speed with which the internet operates assists criminals in their desire to obtain maximum benefits, while inflicting damage on their victims. Criminals avoid detection behind the world-wide internet web of connections. Organised criminal elements are now finding that they can access much richer environments through the virtual world than they can in the physical one and go undetected far more often. Even if detected, the legal and jurisdictional issues are such that penalties for their activities may be less onerous than for other crimes such as dealing in drugs.
As is the case with any security regime, no system can be 100% secure. But, in essence, the security systems you put in place must be sufficiently robust to convince your customers and suppliers that they are of the highest security integrity to gain and maintain the confidence of your organisation's business partners.
Frank Heinrich-Jones is director of corporate risk and security management at PLC Consultancy Services, a member of the UK Fraud Advisory Panel Steering Group, and vice-chair of the Panel's internet/e-commerce fraud working party. E-mail: firstname.lastname@example.org