Regardless of hacker attacks on other sites, executives and IS and audit professionals are satisfied with the security of their e-commerce offerings, according to a recent study.
E-commerce Security — A Global Status Report was released by Deloitte & Touche and the Information Systems Audit and Control Association. The study’s results are based on more than 150 personal interviews with managers and executives and 250 written surveys from IS and audit professionals.
Steven Ross, a director at Deloitte & Touche, says in light of recent credit card number disclosures and rage of denial of service attacks, some of the confidence felt by the respondents might be misplaced.
“I think some of the events since the time the study was completed show that,” Ross says. He also notes, “Security incidents tend to create a short-term peak of interest and then everybody tends to go back to sleep.”
Greg Coticchia, vice-president of marketing and business development for Rockville, Md.-based AXENT Technologies, says the results of the survey may surprise some people, but not him.
“I was reading one of the classic quotes for the security business, which is ‘Few people ever buy a radar detector until after they’ve got a speeding ticket,'” Coticchia says. “It’s so true.”
He explains that most people, when asked about their car or house security — “two of your most valuable material possessions” — will say their security is good enough.
“Whether you used The Club on your car or had a $1,000 system, you’d say ‘It’s good enough,’ or ‘I’ve got a bolt on my door and that protects me’ — it’s whatever your sense of comfort is,” Coticchia says.
He predicts the next target on the Internet will be the industry exchanges, he says, pointing to the ones announced by automotive manufacturers in the United States and Europe.
“Each one of those would tell you that they’re secure, as much as Yahoo would have the day before the denial of service attack,” he says.
Coticchia says Deloitte & Touche’s survey could give a false sense of security until other incidences prove otherwise. “I think what Deloitte has done is given us the litmus test to say people are rationalizing that their security is OK, when indeed it is not.”
The survey shows that more than 80 per cent of the respondents’ organizations use firewalls and about 90 per cent use virus scanning and scrubbing, while less than half use virtual private networks.
James Governor, an analyst at Illuminata Inc. in Nashua, N.H., finds the study worrisomely complacent.
“I think the survey is fairly accurate. We do see complacency in the area of e-commerce security and it’s hard to see exactly what will make that change,” Governor says.
The study also finds respondents are only concerned with security relating to their own sites and do not consider similar security issues when engaging in e-commerce provided by vendors. Almost 90 per cent of those polled say their organization does not use third-party services to validate business partners’ Web sites.
“I found it particularly worrying that they’re not investing time and effort in making sure their suppliers and partners are secure,” Governor says. “It’s actually crucial.”