Net Present Value of Information Security: Part III
While effective security can enable companies to establish the sound practices necessary for trusted business relationships, in the race to bring products, services or sites to the e-marketplace, many organizations continue to rush to market and neglect security. As a large number of high-profile cases have demonstrated, such neglect can be a big mistake. Lack of adequate security is increasingly causing problems that include denial of service attacks, breaches of privacy, lawsuits and the erosion of customer trust.
Denial of Service
A number of recent high-profile security breaches have involved denial of service attacks. These attacks have caused outages on sites such as Yahoo, buy.com, and eBay. When such attacks occur, availability can drop from 95 to 98 percent to as low as 0 percent, making it impossible for customers to get through to a site.
For companies whose only link to the outside world is their Website, such outages mean lost revenues and lost opportunities, because customers cannot make their intended purchases. The inconvenience can also damage customer relationships or cause customers to go to competitors that are just a click away in the online world.
The damage from these attacks can even extend to the financial markets. eBay, Yahoo and buy.com stocks all lost significant value immediately following their denial of service attacks. Yahoo lost 15 percent, eBay had a 24 percent decline in stock price, and buy.com stock lost 44 percent of its value.
Breaches of Consumer Confidence
Security breaches can also compromise consumer confidence. Research indicates that wary consumers are choosing not to make purchases online, resulting in revenue losses estimated at US$2.8 billion in 1999. Many ecommerce companies collect information about their customers in order to provide personalized service. This information can also be susceptible to unintended access. Following are a few recent examples of how software breaches on the net reveal consumer account information and credit card numbers.
In April 1999, Joe Harris, a computer technician at the Seattle-area "Blarg! Online" ISP, discovered that improperly-installed shopping-cart software used widely on the Net to simplify shopping could allow anyone to see confidential data such as credit card numbers. Security analysts pointed out that the plain ASCII file where such data is stored should not be on the Web server at all, or if it was, the file should be encrypted. Initial evaluation suggested that the weakness affected from several hundred to as many as thousands of ecommerce sites where the software installations were performed improperly.
In another recent case, in December 1999, CD Universe customers were shocked when a Russian hacker calling himself Maxus accessed the CD distribution company's customer credit card database. The criminal tried to extort $100,000 (and later $300,000) from the firm in exchange for not publishing the numbers. When CD Universe refused to pay him, he posted the stolen numbers on a Website and allowed anyone to have one credit card number at a time. Criminals were able to make fraudulent charges on the cards.
A thief who ran a packet sniffer to capture 100,000 credit card numbers from a dozen online commerce sites was arrested in May 1997, when he tried to sell the numbers to the FBI for $260,000.
In 1998, an employee of a Japanese bank offered to sell detailed customer records to a mailing list company. Fortunately, that firm immediately contacted the bank, and the scam was stopped.
Barclays, one of the UK's biggest Internet bank services, was forced offline for nearly four hours in August 2000, when four customers reported they were able to view other customers' account details. The bank insisted that despite being able to see these details, it was impossible to carry out transactions using these accounts, and in fact no customer lost money because of the incident. Later in the month Barclays suffered another embarrassing incident when it was discovered that after logging out of the online service, an account could be immediately reaccessed using the "back" button on a Web browser. If a customer accessed their Barclays account on a public terminal, the next user could use this method to view the banking details. According to the bank, when customers join the online banking service they are given a booklet that tells them to clear the cache to prevent this from happening. However, this procedure effectively shifts the responsibility for security to the end user.
Lost Business of Third-party Liability
Lack of security not only has a negative impact on the company whose Website is not adequately protected - it can affect other companies as well. For example, breaches of security and trust at one company in a market segment can make consumers wary of doing business with any company that operates in that market niche.
More serious are hackers' denial of service attacks, in which they take over unprotected PCs at one or more unprotected sites and then use those machines to bombard a targeted site with requests for access. The resulting overload can cause the targeted site to shut down. When such attacks occur, the targeted site pays a price because other sites did not maintain adequate security. Although no lawsuits have been filed so far, it is reasonable to expect that someone will eventually charge organizations operating such unsecured sites with negligence. Indeed, the unprotected site is more likely to be the target of such litigation than the hackers that initiated the attack because such organizations usually have much deeper pockets.
Recent court cases indicate that demonstrating that an organization has in fact created a security policy can furnish some protection from lawsuits. In the Caremark case, hackers broke into the company's business systems and stole critical information. Publicity regarding the break-in adversely affected stock prices. As a result, claiming that the officers should have employed better protections to safeguard company assets, shareholders attempted to sue Caremark officers and directors individually for fraudulent theft from the company. In this case, the court ruled that because the company had assessed the problem beforehand, set up a security team and prioritized the company's response - in other words, had set up a due diligence framework for security - the officers should not face personal liability, even though they were unsuccessful in detecting the particular fraud scheme in question. While this case highlighted the issue of personal liability for corporate officers, it also laid out the framework for corporations to avoid this liability by demonstrating that they have exercised due diligence by setting security policies to protect the company's assets.
Lack of Consumer TrustPerhaps the most ominous detrimental effect that poor security has is its impact on consumer confidence. If poor security practices continue after being discovered, they have the potential to substantially dampen prospects for future ebusiness growth. Survey after survey confirms that key impediments to increased consumer use of online purchasing are fears of losing control over credit card numbers and loss of privacy.
Furthermore, a security breech can reduce the value of a company's brand. According to Alan Greenspan, Chairman of the US Federal Reserve Bank, a company's reputation, or its brand, has become even more important in our information-driven economy: "In today's world, where ideas are increasingly displacing the physical in the production of economic value, competition for reputation becomes a significant driving force - propelling our economy forward. Manufactured goods often can be evaluated before the completion of the transaction. Service providers, on the other hand, usually can offer only their reputations."
In a Rockbridge Associates' study conducted over a two-year period of 1,001 consumers selected at random, most respondents expressed suspicion about the security of online transactions: 58 percent do not consider any financial transaction online to be safe; 67 percent are not confident in conducting business with a company that can only be reached online; 77 percent think it is unsafe to provide a credit card number over the computer; and 87 percent want ecommerce transactions confirmed in writing.
A December 1999 survey by the ecommerce firm CyberSource of 100 online merchants reported that 75 percent of the respondents rated credit card fraud as "a concern," but only 59 percent knew that they would be liable for restitution in cases of fraud. About 72 percent of online merchants surveyed believed that sales would increase if online shoppers were not worried about fraud.
In April 2000, the Angus Reid Group (a national polling agency) released results of 1,125 interviews with Canadian Web users. The overall conclusion was that most Internet users in Canada have never shopped online because they fear their credit card information will be accidentally leaked or stolen. Tyler Hamilton, reporting for the Globe and Mail newspaper, wrote,
Such on-line shopping jitters represent a massive barrier to e-commerce preventing billions of dollars from flowing into the country's digital economy. The perception that such information will be misused or stolen is cited as the main reason 74 percent of all Canadian Internet users have stayed clear of on-line shopping.
Steve Mossop, senior vice president of Angus Reid and head of the firm's Canadian Internet practice called the numbers "staggering." He said privacy and security issues on the Internet have gained a higher profile over the past year, largely because of recent hacker incidents and Website breaches. The top fears holding back consumers: 62 percent are "very concerned" about the security of databases holding their credit card information; 57 percent believe that credit card data can be easily used for unauthorized transactions; and 54 percent think their credit card data can be intercepted in transit by hackers.
The words AtomicTangerine and associated logo are trademarks of AtomicTangerine, Inc. All other brands and product names are trademarks or registered trademarks of their respective owners.
©2000 AtomicTangerine, Inc. All rights reserved.
SecurityPortal is the world's foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
Th e Focal Point for Security on the Net (tm)