E-businesses not worried about security: study

Regardless of hacker attacks on other sites, executives and information systems and audit professionals are satisfied with the security of their e-commerce offerings, according to a recent study.

E-commerce Security – A Global Status Report

was released by Deloitte and Touche and the Information Systems Audit and Control Foundation earlier this year, and the results were based on more than 150 personal interviews with managers and executives in 14 countries and 250 written surveys from information systems and audit professionals from 46 countries.

Steven Ross, a director at Deloitte and Touche, said in light of credit card number disclosures and the rage of denial of service attacks, some of the confidence felt by the respondents might be misplaced.

“I think some of the events since the time the study was completed show that,” Ross said. He also noted that, “security incidents tend to create a short-term peak of interest and then everybody tends to go back to sleep.”

Ross stated that it’s not that companies don’t need security, it’s that they think the problem is licked.

Greg Coticchia, vice-president of marketing and business development for Rockville, Md.-based AXENT Technologies, an e-security solutions provider, said the results of the survey may surprise some people, but not him.

“I was reading one of the classic quotes for the security business, which is ‘Few people ever buy a radar detector until after they’ve got a speeding ticket,'” Coticchia said. “It’s so true.”

He explained that most people, when asked about their car or house

security, “two of your most valuable material possessions,” will say their security is good enough.

“Whether you used The Club on your car or had a thousand-dollar system, you’d say ‘It’s good enough,’ or ‘I’ve got a bolt on my door and that protects me’

– it’s whatever your sense of comfort is,” Coticchia said.

He predicted the next target on the Internet will be the exchanges, he said, pointing to the ones announced by the automotive manufacturers in the U.S. and Europe.

“Each one of those would tell you that they’re secure, as much as Yahoo would have the day before the denial of service attack,” he said.

Coticchia noted the Deloitte survey could give a false sense of security until other incidences prove otherwise.

“I think that what Deloitte has done is given us the litmus test to say that people are rationalizing that there security is okay, when indeed it is not,” he said.

The survey showed that more than 80 per cent of the respondents’ organizations used firewalls and about 90 per cent used virus scanning and scrubbing, while less than half used virtual private networks.

James Governor, an analyst at Illuminata Inc in Nashua, N.H., found the study worryingly complacent.

“I think the survey is fairly accurate. We do see complacency in the area of e-commerce security and it’s hard to see exactly what will make that change,” Governor said.

The study also found that respondents were only concerned with security relating to their own sites and do not consider similar security issues when engaging in e-commerce provided by vendors. Almost 90 per cent of those polled said their organization did not use third-party services to validate business partners’ Web sites.

“I found it particularly worrying that they’re not investing time and effort in making sure their suppliers and partners are secure,” Governor said. “It’s actually crucial.”

Coticchia noted this is just human behaviour. “I think people would rather close their eyes and turn their head and hope. People take that risk every day.”

Deloitte’s Ross said he found that result odd as well. “Companies will spend all kinds of money to validate security of their own private networks, but when they go to a Web site never even think to look for any indication that the site is secure.”

All three agreed that security can get left behind in the race to have the best product and to keep up with the competition. Ross said the driver for companies is profitability.

“It’s not so much using e-commerce as a way of reducing costs – most companies feel they’ve got their arms around that. What’s being searched for like the Holy Grail is the killer application, the one that’s going to bring the revenue flowing in.”

Coticchia noted the euphoria over stock prices and money could well end soon. “I think we have yet to see the reckoning for e-business,” he said.