Net Present Value of Information Security: Part I
Ebusiness offers tremendous opportunities for reducing costs and improving revenues. However, along with the advantages it also brings new threats and liabilities that leave businesses highly vulnerable to cyber attack and fraud. Business today must be concerned with the impact of ebusiness on core business purpose, service availability, customer confidence and privacy. All of these highly volatile elements are critical parts of a firm's reputation and valuation. And although each of these issues is separate and distinct, each is also related to a critical success factor in ebusiness today: information security. Executives can no longer afford to consider security the "locks on the doors"; instead, they must acknowledge security as an integral component of a corporate strategy - a component that is necessary to facilitate the creation of systems that respond and adapt to the rapidly changing business environments that characterize the New Economy.
This series will detail the role of security in an overall business strategy, outline the pitfalls of neglecting security, introduce a means of measuring the information security NPV and provide an executive checklist to ensure that your security efforts are on track.
All Business Will Be Ebusiness
|""All companies will be Internet companies, or they won't be
- Andy Grove
CEO, Intel Corporation"
The rate of ebusiness growth has been astounding. According to InfoWorld editor-in-chief, Michael Vizard, ebusinesses have to cope with a doubling of their trade every three months. Dell Computer is a prime example. Dell filled its first online order in June 1994. Internet sales reached $1 million per day in 1997, then mushroomed to $5 million a day in 1998, to $10 million per day by the beginning of 1999, reaching $33 million per day by the end of the third quarter 1999. According to Goldman Sachs, the aggregate value of ecommerce between ebusinesses alone is expected to rise to $1.5 trillion in 2004 from $114 billion in 1999.
Despite the growth that has already occurred, the use of the Internet is in its infancy. "Online retail activity in the fourth quarter of 1999 accounted for less than 0.65 percent of total retail business ($5.3 billion of $821.2 billion, according to the [U.S.] Commerce Department)," writes Leon Kappelman of InformationWeek; he added that "We're not even close to reaching any kind of limit on the growth of ebusiness." And these figures are only for North America. When the rest of the world is considered, the potential for growth is vast indeed. According to Kappelman, "About 4.6 percent of the world's population (275 million of 6 billion) had Internet access as of February 2000, up from 3.3 percent a year earlier. North America has about 5 percent of the world's population but about half its online population. It's projected that worldwide Internet access will increase during the next four years to about 10 percent and that there will be more than 700 million Internet-connected devices by 2003, up from 200 million last year."
The reason for this rapid growth, indeed, the magic of the Internet, comes from its ability to tie people together. Organizations are using the Web in a wide variety of ways to improve their relationships with customers, partners and suppliers. They are using the Web to create efficient, automated supply chains and distribution channels, as well as new types of marketplaces, such as ebusiness exchanges. Like a stock exchange such as the NASDAQ, ebusiness trading exchanges facilitate community as well as buying and selling among trading partners within specific vertical markets, such as electronic components, chemicals or pharmaceuticals. By leveraging the Web's universal access, ebusiness exchanges can easily aggregate a large number of sellers and buyers. Bear Stearns forecasts such exchanges will have a valuation of $228 billion in 2002. Moreover, new methods of doing business over the Web are emerging every day. One of the most recent trends is wireless Web access. A new study by IDC found that by the end of 2002, wireless subscribers with Internet access will outnumber wired Internet users.
New Ground Rules for Ebusiness
Whenever human beings congregate for a joint endeavor, they need to establish ground rules and clear expectations about each other's behavior. These rules enable the group to function effectively, and also serve to protect the individual. In business, such ground rules take the form of standard business processes, as well as laws and regulations. When business operations change, these processes and regulations must also be updated. Because the Internet often establishes new business paradigms, businesses have a continual need to develop new processes and ground rules to ensure sound business operations.
The following are a few of the ways that the Internet has altered the way businesses interact with each other.
Most brick-and-mortar business dealings involve a physical interaction and therefore give businesses the means to know exactly whom they're dealing with. For example, a person might come into a store or at least leave an address or phone number. The Internet makes it far more difficult to know if a person is whom he or she claims to be. Internet users can be located anywhere in the world, and many methods are available to mask their locations and identities, making it much easier to commit fraud.
In the physical world, it is difficult to access large volumes of confidential information. To steal confidential papers stored in a company's files, an industrial spy would need to physically break into the office. With the Internet, a hacker located anywhere in the world can make off with company secrets stored on a server without ever having to come near the physical premises. Downloading the equivalent information volume of several sets of encyclopedias happens in a matter of seconds.
Paper-based business processes leave a margin for error. For example, a company that pays by check has a float period of five to ten days and knows its check cannot be cashed until the bank processes the transaction. This float period provides time to stop payment on the check if fraud is discovered. With new online settlement systems such as debit cards, however, transactions are completed in real time, leaving organizations more vulnerable to fraud.
As a result of these and other changes brought about by the Internet, organizations need to develop new business processes that ensure the proper completion of business transactions in order to protect both themselves and their partners.
No Legal Recourse
In a time of rapid change, businesses may be tempted to rely on legal authorities to deal with the fallout from these changes. But such legal recourse is expensive, and results are not guaranteed - even when the company wins its case.
In DoubleClick versus Henderson, DoubleClick asked the courts to issue an injunction to prevent former employees from advertising stolen trade secrets for a one-year period. Even though DoubleClick proved that the employees had, in fact, stolen the trade secrets, the court did not grant the relief that DoubleClick requested. Instead, the court issued a six-month injunction, ruling that the "rapidly changing world of Internet advertising" limits the life of trade secrets.
Ford Motor versus Lane represented a similar outcome when Ford proved wrongdoing, but the court did not grant the company the desired redress. In this case, a Website operator had received stolen trade secrets about designs and future activities that were clearly labeled proprietary and then published the information on the site. The court agreed with Ford that a prior restraining doctrine should have precluded the site from publishing the information. However, the court still ruled that the site could publish the information. Why? The court believed the site's free speech rights superseded Ford's right to retain trade secrets.
In today's business world, relying on the legal system for protection or to provide a means of financial recourse doesn't make good business sense, particularly while the courts remain unclear about how they will rule on such matters. Proactive measures that prevent security breaches and fraud from occurring in the first place will prove more cost-effective and serve business better in the long run.
Security Is a Critical Enabler for Ebusiness
One way that organizations can adapt to the changes resulting from new ebusiness technologies is to rethink their views on security. Traditionally, organizations have regarded security as a kind of insurance policy and have devoted roughly 1 to 3 percent of their IT budgets to security measures. In the "glass house" paradigm of business computing, such thinking was appropriate. Mainframe systems were, and still are, fairly self-contained, and the threats to them are reasonably well understood. However, because the Internet makes organizations, and their critical information, far more vulnerable to intrusion and attack from outside, organizations need to greatly increase their security measures to enable trusted business dealings in this new environment.
Anyone doubting this assertion need only look at the skyrocketing instances of security breaches. In a recent survey of 273 Computer Security Institute (CSI) member organizations, the CSI and the San Francisco FBI Computer Intrusion Squad found that nearly 90 percent of respondents detected some form of security breach in 1999, either from inside the organization or from external hackers. Of these attacks, 70 percent were considered serious, including theft of proprietary information, financial fraud, system penetration from outsiders, denial of service attacks and sabotage of data or networks. These attacks resulted in substantial financial losses. The $266 million in losses in 1999 that these member companies reported to CSI was more than twice the average annual total losses of $120 million reported from 1996 to 1998.
NPV of Information Security
As a key strategic enabler of new trusted ebusiness processes, information security becomes a generator of NPV for the organization. Information security protects business reputation, consumer confidence and market valuations, and it delivers a competitive edge by allowing new distribution channels, revenue streams and even business models in an otherwise diluted and overly compromised marketplace. In other words, instead of being viewed solely as a risk-avoidance measure (like a kind of insurance policy that never pays anything back), information security is required both to support and enable ebusiness.
In today's ecommerce environment, effective information security can serve to increase business and profits, not merely to reduce risk. To assure success, therefore, ebusinesses need to bring information security to the forefront of strategic thinking. They no longer can view security as an add-on feature relegated to the end of the design process or as a cost center, or as solely the purview of the technical staff in an organization. Instead, they must realize that information security is a process that is essential in meeting the legitimate needs of the public. They must also realize that their marketing and public relations departments need to be well versed in the principles of information security so that they can communicate effectively with an anxious public about the measures that safeguard customer privacy and money.
Note: This article is the first in a four part series on the NPV of information security.
The words AtomicTangerine and associated logo are trademarks of AtomicTangerine, Inc. All other brands and product names are trademarks or registered trademarks of their respective owners.
©2000 AtomicTangerine, Inc. All rights reserved.
SecurityPortal is the world's foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
Th e Focal Point for Security on the Net (tm)