Australian e-business: Shopping for IT security
There are always horror stories about companies who have had their Web sites hacked, or networks penetrated, and the incalculable impact it had on their bottom line. Often these tales take on the flavour of urban myths—no one wants to own up and say it’s happened to them—so it all seems a little bit unreal. Unfortunately it isn’t. And the business consequences of getting security wrong can be devastating.
Alex Turkington, Asia-Pacific president for vendor Top Layer Networks puts it into a business perspective when he comments that the ramifications of e-commerce security being compromised can be financial, legal and operational.
“Therefore an organisation’s investment in security should be directly proportional to the value of the business,” he advises. “When businesses engage in e-commerce activities it is imperative that security is a core component in their IT infrastructure.”
And, as Steve Bittinger, research director at Gartner for Government, CRM and security points out, companies doing business online need to spend more time and money protecting themselves, because of the greater risks.
Why should companies care?
The dilemma—as Gregg Rowley, managing director at Internet trust company eSign Australia sees it—is that the online world offers opportunities to streamline processes, but to do this you have to open up your systems and networks to give your suppliers and partners access.
Rowley cites authentication of who you allow into your network, privacy of information you want kept confidential, and protecting information on your systems from being changed, as areas companies doing business online should be considering. Non-repudiation—being able to prove who has agreed to what—is also an important aspect e-businesses need to address when they’re looking at IT security.
The potentially huge financial costs if you’re breached or penetrated is another reason e-commerce businesses should care, according to Kim Duffy, managing director for Australasia at intrusion detection and protection software company, Internet Security Systems (ISS).
He uses the example of a bank, where if they get hacked there would be a loss of confidence. “There is increasing pressure for companies who use the Internet to do business to accept their responsibilities to provide security to their customers, business partners and staff.”
Sven Radavics, senior manager of sales engineering for Asia Pacific at security hardware and software vendor WatchGuard Technologies cautions businesses not to leave thinking about security too late.
“They need to understand the value of the data that can be compromised,” Radavics suggests. “A lot of security decisions are made by technical people—what needs to happen is the business managers that understand the value of the data need to seek out valuable advice—not just inside their companies. They need to realise they need to get advice from a security professional and they need to then take that advice.”
From the point of view of accounting and financial information Bill Copeland, vice president of international business development, at ACCPAC International—a vendor of software and services to mid-market companies—cites fear of information becoming available outside an organisation and loss of control as other reasons companies start to think about IT security. But what he also believes companies should be doing more of is looking at the real business advantages of putting the appropriate level of security in place. Copeland uses increasing market share, and revenue or profitability, as examples of benefits.
It won’t happen to me, will it?
The example of locking your door in the real world is a common one in security circles. Mike Jeffries, PKI marketing manager for APAC at e-security products and services company Baltimore Technologies, also uses the risk management analogy of locking your front door, putting money in the bank, or regularly auditing your accounts. “Again, you wouldn’t think about not having insurance, and the reason is to stay in business—you have to manage the risks of being in business as soon as you plug yourself into the electronic world.”
Jeffries believes companies have a duty of care to apply the relevant risk management techniques to the online side of their business, just as they would with their real-world environment. And part of that fantasy that it always happens to other companies is perpetuated by the fact no one talks about when it happens to them. Radavics believes it’s important to get beyond this, to some extent. “The primary fear today when someone suffers damage [is that] they don’t want the general public to find out about it,” he says.
He advises informing an organisation such as the Australian Computer Emergency Response Team (www.auscert.org.au) because of the benefits to other companies about new attacks or vulnerabilities. AUSCERT aims to provide a point of contact for the Internet community to deal with computer and security incidents and their prevention. “If somebody comes into your system and modifies data it causes a whole raft of future damage,” Radavics warns, using the example of tampering with your financial records as one of the scenarios of what could happen.
One way that companies are tackling the authentication issue in the online world is by using digital certificates. According to eSign’s Rowley, the idea of a digital signature is that it’s tamperproof and can assign your identity to a document. Digital signatures are the equivalent of signing a letter on your company’s letterhead paper.
The reason you may want to use a digital signature is as a means of proving and enforcing non-repudiation for online transactions. Rowley believes it’s still early days in the use of digital signatures in Australia, but says the interest in using them to sign transactions and communications is growing exponentially.
The business benefits of digital certificates over passwords, according to PricewaterhouseCoopers, include:
- Better risk management—of who did what to whom and when.
- Greater legal certainty by virtue of the higher evidentiary weight of certificates.
- Lower total cost of dispute resolution and forensic investigation, because the origin of a transaction can be proved directly without recourse to computer system audit logs.
- Improved access to broader customer groups because PKI alleviates the need for prior dealing before accepting transactions online.
- Superior customer care and possible first mover advantage in new e-business markets, from deploying state-of-the-art in electronic authentication.