Web of insecurity

Despite an alarming number of high-profile breaches in security in online transactions, many companies are continuing to do e-business without proper security strategies. But experts are warning that they could be in for a nasty surprise, says ANDREW LEE

There have been so many horror stories about failures of online security recently you could be forgiven for thinking the net really is full of holes.

Barclays and PowerGen are just two of the household names struggling to rebuild trust in their internet strategies after supposedly confidential customer information was left out in the open for all to see.

As usual, the headlines come from the business-to-consumer arena, but the issues are no different for companies building business-to-business strategies.

In a full-service e-business scenario, the internet will be awash with reams of sensitive information including orders, invoices, project details and even new product design data. In theory it will all be vulnerable to security breaches, leaving many managers asking themselves: ‘If I don’t trust this technology to pay my domestic gas bill, how can I put details of a multi-million pound project online?’ Surveys of UK business suggest two answers to the question. The first is ‘I can’t’. Security concerns are regularly named as the biggest factor holding back the growth of e-business, with companies preferring to do nothing rather than risk a catastrophic lapse.

The second response is quaintly low-tech in the face of so much that is dazzlingly new – to cross your fingers and hope for the best.

A recent study sponsored by the Department of Trade and Industry suggests that when it comes to the integrity of their information, an alarming number of UK firms are relying on the equivalent of rabbits’ feet and four-leaf clovers. Of 1,000 UK companies questioned for the Information Security Breaches Survey 2000, one in three are already buying and selling over the internet or plan to do so soon.

But 60% of those have suffered an information security breach over the past two years, with almost half categorising the incident as ‘extremely or very serious’.

And their response? Pitiful, if the DTI’s survey is to be believed. Two thirds of the companies that experienced a serious breach said they had done nothing to stop it happening again. Just one in seven of the firms surveyed had a formal information management security policy in place.

Professor Fred Piper, director of the information security group of MSc courses at London University’s Royal Holloway College, claims any business that feels it can ignore online security, or believes the issue is over-hyped, could be in for a nasty surprise.

‘They should be concerned, because by doing business online – and gaining all the undoubted benefits that brings – they inevitably increase the risks to their security,’ says Piper.

Popular stereotypes of the internet security threat include anarchic teenage hackers spreading viruses from their bedrooms or gangsters bent on corporate blackmail. Such menaces do exist, but Piper points out that a security breach is far more likely to come from within – and be more a case of cock-up than conspiracy. ‘Most of these high profile incidents have been accidents. As far as we can tell, nobody intended to make their confidential details public, they were unfortunate mistakes,’ he says.

Errors can always happen, but, like most other experts in the online security field, Piper believes they can be minimised by good practice – something that is all too often forgotten if security is seen only as a technical issue for the IT department. ‘The technical side is important, but it is much more an issue of good management,’ says Piper. ‘This is why a formal information security policy is so important.’ Malcolm Skinner, product marketing manager for IT security specialist Axent, is amazed by how chaotic the approach of some companies is to such a potentially explosive issue.

‘If there is a safe on the premises, most businesses don’t think twice about drawing up formal procedures for its use,’ says Skinner. ‘They decide which documents are important enough to be kept in it, who knows the combination and who’s responsible for checking regularly that it’s still secure.’ By contrast, many companies haven’t even graded the sensitivity of their data before entrusting it to the internet. ‘You have to know the value of what you’re protecting before you decide how to protect it,’ says Skinner. ‘Having no security measures is a perfectly valid policy, but only if you have looked at your information and decided there is no risk to your business if anything untoward happens to it.’ According to Skinner, the magic word ‘firewall’ – a server that polices traffic between a company’s network and the outside world – is too often viewed as the beginning and end of online security.

‘Most people equate security with a firewall, and it’s true that if you’re connecting your business to the internet you must have one.’ However, Skinner points out that a firewall, no matter how sophisticated, is still letting data in and out and will not protect a business from internal attack.

‘If there is no internal monitoring of activity you are far from secure. Whether by accident or design, someone within an organisation has vastly more opportunity to compromise its security than an outsider,’ says Skinner.

With this in mind, many security applications now offer sophisticated monitoring systems which can detect hostile or unusual activity on a network, whether it originates internally or externally.

Fred Piper identifies another security issue which is perplexing many in the e-business arena. How do you know who you are doing business with? Piper says: ‘If I want to buy something from Woolworth’s I can be pretty sure I’m in the right place when I walk down the high street and go through the door. The same is not true online, because what you see on a screen can only be trusted up to a point.’ According to Piper, authentication will be the biggest hurdle for e-business to overcome before it enjoys widespread confidence in the business community.

Chris Potter is a partner at PricewaterhouseCoopers, and is assessing online authentication for the global accountancy and consulting giant. A recent PWC study of companies already using e-procurement systems discovered a significant number of security lapses, many involving transactions being conducted with the wrong second party.

Potter says the stakes are so much higher for those conducting e-business than for consumer e-commerce that the required solutions are proving more elusive. ‘Moving millions of pounds or highly sensitive information is not the same as buying a book from amazon.com,’ says Potter. ‘Simple password controls, which may be sufficient for a B2C transaction, will not always be enough in the B2B arena.’ Digital signatures, which give companies conducting transactions online unique, secure online ‘passports’ as a way of being recognised and recognising others, are already in limited use.

However, Potter has identified three stumbling blocks to their adoption:

The lack of international standards backed by appropriate legislation in major economies. This is now beginning to be addressed, but only slowly Who issues digital certificates is also crucial, and PWC recently launched BeTrusted in a bid to set itself up in the role of a global ‘trusted third party’ The incompatibility of the various applications available.

Potter believes digital signatures will eventually offer companies contemplating e-business the degree of reassurance they need. But in the meantime, many UK businesses remain understandably cautious.

www.dti.gov.uk/infoage www.rhul.ac.uk www.axent.com www.betrusted.com