A Year Ago: Security loses to holiday rush

First published: Mon, 03 Jan 2000 06:57:34 GMT

Without prodding, companies would tend to relegate security to the back burner

The pressure to be up and running this holiday season has led e-commerce sites to skimp on security, said a security analyst.

According to Gary Lynch, a partner at Ernst & Young, regulatory and legal pressures -- not the immediate economic consequences of a breach -- are driving security purchases and implementations.

Jeremy Barbera, chairman and chief executive at Marketing Services Group, a direct marketing and Internet services firm that includes six Internet-related business units, agreed. Without prodding, he said his companies would tend to relegate security to the back burner.

"They just want the e-commerce flow to be up in time for Christmas," Barbera said. "We have six Internet companies and they all think this way."

Lynch and Barbera made their comments at a roundtable on the Internet and electronic commerce sponsored by the New York University Leonard N. Stern School of Business. The concerns were echoed by other participants, including auditors, Net start-ups and professors. The roundtable also addressed questions of accounting for Net companies, a concern of the Financial Accounting Standards Board.

A laissez-faire attitude toward security can be expensive. Lynch said the average online theft totals $250,000 (£154,827,) and only 2 percent of the cases are ever successfully prosecuted. By contrast, he said, the average bank robber walks away with only $19,000, and fully 82 percent of bank robbers are caught and convicted.

While business-to-business sites open up more of a company's operations to crooks -- Lynch cited one instance in which the amount of a transaction was fraudulently altered, online, to the tune of $27 million -- he suspects business-to-consumer sites may actually be more secure, thanks to legal and regulatory pressure.

Just how difficult is it to convict an online suspect? Lynch cited one case in which the time stamp on a computer record was an important piece of evidence. The judge wanted to know how the computer clock stamping the records had been secured, a question that flummoxed the prosecution.

"The electronic evidence doesn't have much weight if the whole system isn't secure," Lynch said.

Arun Sundararajan, an associate professor at NYU Stern, said e-commerce companies are often forced to take security seriously once they try to integrate their systems with those of other larger technology players.

The situation isn't likely to improve dramatically any time soon. Only five universities provide programs in information security that are tailored to the needs of e-commerce sites, Lynch said.

Experience isn't fail-safe either. Lynch said an unnamed online authenticator and verifier of transactions, used by many e-commerce sites to protect against fraud, recently experienced a seven-hour outage.

The security market is very fragmented, with more than 3,000 vendors participating. Lynch estimated fewer than 5 percent of these vendors bring in $25 million or more in revenue.

The products can be very expensive. Lynch said the cost of deploying software can run two to four times the cost of buying the software in the first place. Supporting the software can cost 15 times the initial purchase. What is worse is scrapping it once it's been implemented: Count on 25 times the purchase price to take care of cleanup.

One popular angle is a security "seal" showing that a reputable firm has found the site safe and reliable. Those seals, while providing some comfort to consumers, typically do not absolve the e-commerce companies of legal responsibility if something goes wrong.

Although broadcasters have long bartered advertising time and space, financial experts at the roundtable were eager for the FASB to come up with guidance on the topic for Net companies. Paul Brown, chairman of NYU Stern's accounting department, urged accountants to pressure their clients to disclose barter transactions. "Somewhere along the line we can't afford to wait" for the Securities and Exchange Commission or accounting regulators to decide the issue, he said.

The amount of revenue at Net companies attributed to barter varies widely, from 3 percent at InfoSpace to 36 percent at StarMedia, according to a recent Bear, Stearns & Co. report. The problem is exacerbated by the package deals Net companies sometimes strike, often signing over traffic, print, broadcast and online advertising in one swoop.

Accounting regulators hope to settle the issue in January 2000.

See also: the e-commerce special.

What do you think? Tell the Mailroom. And read what others have said.