According to official figures from the Organisation for Economic Cooperation and Development (OECD), e-commerce - business done solely over the internet - will be worth $300 billion by 2001 and three times that figure just two years later. E-commerce and the internet are rapidly changing the way we all live our lives and do business. The global marketplace is creating new challenges - not least, those relating to risk and security management.

It is very difficult to accurately measure the scale of the problem of e-commerce and internet security. There are many different forms of external and internal attack. These include disruption to services, computer fraud, cybercrime, security breaches, viruses, denial of service attacks and internet credit card fraud, besides simple operator errors and system failures. Recent reports suggest that potential losses are huge.

  • The love bug virus, which invaded and brought down some 45 million computers, is a well-known catastrophic event in the internet arena. The terminals affected were apparently mainly personal computers throughout the world which used the Microsoft Outlook Express e-mail system. But it also reportedly affected terminals at the White House, US Congress, Central Intelligence Agency (CIA), NASA and the Pentagon, as well as the British and Danish parliaments, and hundreds of US, British, German, French, Spanish and Swiss firms. These included Microsoft, Time Warner, Ford, Barclays, BT, the BBC, News International, Nestle, Vodafone AirTouch and Merrill Lynch. The love bug and Melissa, an earlier virus attack, are estimated to have caused a combined $10 billion of damage worldwide.

  • Denial of service attacks, which include most notably ones on Yahoo!, Amazon and e-Bay, have caused many millions, if not billions of dollars in disruption costs, loss of revenue and reduced shareholder value. The director of an Atlanta-based security research laboratory at Internet Security Systems, a software and consulting company, stated: “If hackers can shut down Yahoo! (e-commerce leaders with a market capitalisation of about £58 billion and £4 million-worth of business in the last quarter of 1999), they can shut down anything they want tomorrow.”

  • A recent Federal Bureau of Investigation (FBI) survey appearing in The Business Security e-Journal reported that cybercrime is on the increase, with financial losses at US companies more than doubling to $266 million in 1999. According to this survey, seven out of ten US corporations, banks and government agencies suffered “serious” breaches of computer security last year, while 74% acknowledged financial losses. Only 42% of respondents to the survey quantified their losses. However, these organisations reported that total losses were more than double those for the previous three years. Sabotage of computer networks emerged as one of the fastest growing problems, while theft of proprietary information and financial fraud still remain as the two biggest areas of cybercrime. Internet connections were the most frequent point of attack. One example quoted was that of a Russian hacker who gained access to the e-commerce site of a music store and tried to blackmail the store into paying him, or he would distribute all their customers' credit card numbers to the Russian “mob”.

  • The UK government-supported Department of Trade & Industry's information security breaches survey 2000 headline results showed that:

    - 60% of organisations reported having suffered a security breach in the last two years;

    - over 30% of respondents did not recognise that their business information is either sensitive or critical, and therefore a business asset;

    - of those organisations that have critical or sensitive information, 43% had suffered an “extremely serious” or “very serious” breach, and a further 20% had suffered a “moderately serious” breach in the last two years;

    - nearly three-quarters of organisations that suffered a breach they regarded to be “serious” had no contingency plan in place to deal with it;

    - very few organisations were able to assess the true business implications of the security breaches they had suffered – but those that were indicated that the cost of a single breach was in excess of £100,000;

    - more than half the organisations which have suffered a breach that they consider being their “most serious” do not believe that there is anything they could have done to prevent the breaches they have suffered;

    - one in three businesses are already buying or selling over the internet, or intend to start in the near future.

  • Reportedly, anti-virus firms find at least 20 new viruses a day, typically created by students seeking kudos in the underground virus-writing community. Some cause small-scale infections of corporate or domestic computers that may be harmless or damaging depending on the form the attack takes.

  • In 1999, an estimated two million instances of credit card fraud took place on internet purchases in Europe, and the Internet Fraud Watch reported a 600% increase in complaints in the United States since 1997. A recent ICC survey revealed a three-fold increase in reports from organisations that had been attacked by hackers between 1997 and 1998.

    Internal risks

    The pressure is mounting for all organisations to recognise the problems and implement good practice to provide at least some measure of protection from such risks. The case for risk and security improvements in the area of e-commerce and the internet is clear; the threat is there for all to see. However, crimes committed by external hackers are not the only danger. It is estimated that organisations face 20% of threats to their computer systems from outside the organisation and 80% from internal sources. Security must be integral to a company's operations.

    Internal hackers may be far more invidious than external threats. While firewalls, encryption, digital signatures and other forms of security protection can be used against external hackers trying to break into your system, an insider can render these or any other normal security system useless. Insiders have far greater opportunities to commit crimes without detection, access confidential information and trade secrets to sell to competitors or simply set-up their own rival company using your organisation's customer database and confidential trade and pricing information. An effective trusted operating system integrated with a detailed e-risk management programme is required.

    Risk analysis

    The basic principles of risk management apply to e-commerce and the internet; having assessed the risks, they should be analysed to see if they are applicable to the organisation, not forgetting suppliers and customers. As well as security, there are other risks to consider such as loss of trust, loss of reputation or brand image, market risk and operational risks, including operational performance such as lack of adequate capacity to handle transaction volumes. Exposure to legal liability for the content of e-mail messages, employee rights of privacy and employer rights of access, libel, copyright infringement, breach of confidence, regulations and controls, inadvertent formation of contracts, publication of obscene material and data protection are but a few of the risks that come to mind - but security is the biggest. Without quantifiable security, customers will not use your systems, executives will not support e-projects, investors will not finance the venture and regulators may veto the project.

    What is required is a holistic risk-based approach to security, with the development of appropriate risk management strategies that audit and control processes and monitor the impact of new technologies. Analysis of the risks and threats to individual organisations, should include:

  • a top-down view, driven by high-level business security considerations, rather than from the ground upward, technology-orientated perspective;

  • alignment with the organisation's overall risk and security policy;

  • security and risk management to be seen as a “people” problem and not just a technology issue;

  • dangers that may originate internally, as well as externally;

  • dangers that arise unintentionally and innocently, as well as maliciously and in a planned fashion.

    Each individual organisation must decide how best it might effectively carry out the required review and analyse the risks that may seriously affect its particular operation. Only in this way can you determine what, if any, further risk improvements may be required. It is a necessary approach. With corporate governance coming to the fore throughout Europe, there is a strong requirement for effective controls to be implemented for all significant risks which can seriously affect an organisation.

    Inadequate security is already having a negative effect on the potential growth of e-business in Europe. The inability of an organisation to provide a positive response to the following questions will do nothing to improve this situation:

  • Can you be certain that the contents of an e-mail sent from your largest customer have not been changed?

  • Was that message actually written by your customer?

  • Has the e-mail been read by your competitor and is it making a counter offer?

  • Where do you stand if you accept a large order electronically and the purchaser questions the order content on delivery?

    The speed with which the internet operates assists criminals in their desire to obtain maximum benefits, while inflicting damage on their victims. Criminals avoid detection behind the world-wide internet web of connections. Organised criminal elements are now finding that they can access much richer environments through the virtual world than they can in the physical one and go undetected far more often. Even if detected, the legal and jurisdictional issues are such that penalties for their activities may be less onerous than for other crimes such as dealing in drugs.

    As is the case with any security regime, no system can be 100% secure. But, in essence, the security systems you put in place must be sufficiently robust to convince your customers and suppliers that they are of the highest security integrity to gain and maintain the confidence of your organisation's business partners.

    Frank Heinrich-Jones is director of corporate risk and security management at PLC Consultancy Services, a member of the UK Fraud Advisory Panel Steering Group, and vice-chair of the Panel's internet/e-commerce fraud working party. E-mail: frank.heinrich-jones@virgin.net