Information security, or lack thereof, may yet be the death of commerce and business conducted on-line by Canadian consumers.
That’s an assertion based on recent, which among other things suggest there still remains much apprehension on the part of Canadians who shop on-line, and that businesses themselves continue to grapple with information security.
A survey of 1,250 Canadians by Pollara on behalf of security product vendor Symantec Corp. observes that 45 per cent of B.C. residents and 41 per cent of those surveyed in Ontario don’t feel safe from threats such as hackers and identity theft while shopping on-line. In fact, four in 10 Canadians feel “unsafe” when shopping on-line, and nearly one in four when banking on-line. The survey was conducted in early May and researchers say the results are accurate to a total of plus or minus 3.2 per cent.
Given that Canadians are among the more Internet-connected and IT-savvy folks in the world, these observations lead one to wonder whether there might a real danger of people turning their backs on cyberspace business and commerce. The reality is that cyberspace may still be too dangerous place to safely conduct business.
The Internet has been around for a while now, and effective technologies to keep information secure and make surfing in general – and ecommerce in particular – much safer should be widely deployed by this point.
Unfortunately, there simply hasn’t been a marked turnaround in the safety of doing business on-line. Cyberspace criminals are smarter than ever and more threats appear to exist today than ever before.
The Pollara survey observes that 58 per cent of on-line Canadians have been a victim of a computer virus or worm – a number that may be significantly higher, given that some people might not admit to falling prey to such activities, while others may simply not be aware that their computer systems have been infected or compromised.
Yet IT security remains a marginal investment for most businesses and something they’re inclined to spend money and time on only when they have to. A recent poll of ITWorldCanada’s IT executive readers shows more than 40 per cent of small and medium businesses surveyed in Canada say they’ll spend about as much on information security this year as they did last year. An additional 35 per cent of small business said they may spend up to 10 per cent more this year. That’s paltry spending, considering that most businesses are likely doing more on-line today than ever before, and that the sophistication and volume of cyber threats is on the rise. The fact that security spending remains flat doesn’t exactly raise confidence that businesses are being aggressive in the information security battle.
Canadian companies are dragging their heels even in areas where they are legally required to take action to secure information. The Canadian Privacy Act and the Personal Information and Electronic Document Act (PIPEDA), for example, are by far the two pieces of legislation that do the most to spur businesses to invest in IT security. Still, the ITWorldCanada survey results show more than half of small businesses required to be in compliance with the Canadian Privacy Act are in fact not, and 43 per cent of small businesses in Canada that must be compliant with PIPEDA are not.
To illustrate the extent of the problem, only about half of small businesses say they use intrusion detection and prevention tools, while just 55 per cent say they use some type of secure remote access on the Internet. Why does such a cavalier attitude seem to prevail when two-thirds of small business respondents to the survey say their companies have experienced between one and four “negative security related events” in the past 12 months? Among other things, survey respondents say these events have resulted in confidential records being compromised and/or loss or damage to internal records.
In other words, businesses, especially smaller ones, appear to be losing the fight against hackers and other cyber criminals. Judging by the level of investment in security products and overall expertise, there’s little evidence to suggest small businesses are much smarter today about information security than they were a year ago, and many certainly aren’t behaving as though they truly understand the risk, which has continued to rise over the past year.
The gap between the ingenuity of cyber criminals and the risk-minimization tactics employed by small business is dangerously wide. Many small businesses are at high risk for compromise of their own basic information security, so how can they be expected to protect the safe computing and information security of their customers in an increasingly risky on-line world, given their current level of security investment?
There’s an important question raised by the results of these two research efforts: Given that nearly half of Canadian on-line users remain apprehensive about shopping on-line, why should a business seek to invest in e-commerce today? The on-line security risks seem to be increasing, given the existence of more insidious computer viruses, malicious software such as spyware, and alarming incidents of next-generation threats such as phishing and pharming that have become epidemic. It’s not unreasonable to expect information security breaches will happen even more frequently, will be even more difficult to prevent and will cause greater damage in the future.
The Internet is already a risky place for Canadians to shop, and the e-commerce district is getting seedier. There is a real danger that customers may turn away from on-line commerce if cyberspace can’t be made much more secure, and soon. It’s a scenario that may breathe new life into traditional storefront shopping, but spell death to e-commerce if Canadian companies don’t wake up to the threat and start to clean up the Net.
This article appeared in The Globe and Mail on June 16, 2005.