Businesses Fail to Evaluate e-Risks

In today's e-world, the old adage, "Time is money" is truer than ever before. Companies are moving to the Internet at breakneck speed but in their haste, many are not adequately evaluating the risks of going online.

An Internet-based company faces risks that do not exist in the offline world. Those risks can have significant business impact. Someone from anywhere in the world can interfere with a company's ability to conduct business. Web site vandalism can generate embarrassment worldwide. Errors can be immediately exploited by dozens of attackers operating from any number of different locations.

Your business should evaluate every new venture it undertakes to determine if the rewards outweigh the risks. That includes moving online. Such evaluation requires a risk analysis and a business impact analysis. While these tasks may seem daunting when you are under the pressure of Internet time, they are essential.

In moving to the Internet, your company should assess three attributes to determine their potential impact on business and the proper level of security to apply. They are availability, confidentiality and integrity. Each can be easily exploited, with disastrous consequences for your business.

Availability is one reason why companies move online. An online business can interact with customers 24 hours a day, 7 days a week. A glance at the headlines, however, shows how easily availability can be disrupted. "Denial of service attacks" cause loss of revenues when customers are unable to access systems to transact business. That affects, not only current, but future revenues. Customers who are unable to get to your site will find a competitor who provides the product they're seeking and will often return to that competitor when they need additional products. Customers often view unavailability as poor service, which means that it has a major impact on customer retention and loyalty.

Confidentiality of customer information and transactions is critical, as demonstrated by the number of reports of credit card numbers and customer information stolen online. Lack of confidentiality leaves your business with direct responsibility and liability, and leads to loss of trust. Trust is critical to online business since personal interaction is limited.

Integrity is the capability of ensuring the accuracy of the transaction. It means that your business can make sure the customer is who he says he is, and that the interaction is legitimate. Fraud analysis, though complicated, is essential for online businesses. A GartnerGroup study shows that credit card fraud is about 12 times higher on the Internet than for other kinds of transactions. Investigating online fraud poses problems because the investigation can lead anywhere in the world and it is difficult to identify the individual involved. Furthermore, record keeping in many companies is often inadequate to be used as evidence for a criminal case. That's why it is important to evaluate the type and amount of records in your business, as well as the way they are handled.

Businesspeople sometimes don't realize the significance of an online security incident. All such incidents affect business productivity, since each must be investigated, the cause determined and corrective measures put in place. Often online issues become public. That means the company must respond to the publicity that has been created. Dealing with online incidents requires a significant amount of resources that could better be used elsewhere.

In underestimating the level of risk generated by going online and the impact of security incidents, businesses fall back on a number of myths that help perpetuate security problems.

One myth is that a site is just one among millions of Web sites. While that it is true, it does not in any way reduce the likelihood that your site will be found and exploited. Automated scanners continuously locate new sites on the Internet and evaluate them for potential security attacks. Even your home PC, if connected to the Internet, will be visited by these scanners.

Another myth is that if your site is purely informational, not engaged in e-commerce, you need not be concerned. Contrary to this myth, systems are often used to launch attacks on other systems. Think of the distributed denial of service attacks last winter that affected Amazon, eBay, Yahoo and other major Internet sites. Attackers use intermediaries to make the process of tracking them even more difficult. Use of an intermediary can also involve you in the investigation and bring your business unwanted publicity.

The fundamentals of information security really come back to basic business principles: understanding the situation, evaluating the impact, controlling the risk, and monitoring the system. Companies have to continue to make sound business decisions based on facts, regardless of the environment.

Don Pipkin, a frequent speaker on information security, is the author of Information Security: Protecting the Global Enterprise and Halting the Hacker: A Practical Guide to Computer Security. He is Security Systems Architect for the Internet Security Solutions Division of HP.