Executives from some of the world's largest companies may be
unaware or misinformed about where the real vulnerabilities lie in
their network systems, according to a global e-fraud survey
released by KPMG.
Seventy-nine percent of CEOs, CIOs and other senior management
from public and private companies in 12 countries said they
believed that a breach in their e-commerce system would most likely
be perpetrated through the internet or other external access,
according to the firm’s “2001 Global e.fr@ud.survey”. KPMG says it
is well documented, however, that the greatest risk is from
internal perpetrators.
"Most security breaches are committed by
individuals who possess intimate knowledge of the systems they are
attacking," said Norman Inkster, president of KPMG Investigation
& Security Inc. in Canada and chair of KPMG's International
Forensic Accounting Committee. "If senior management understood
that, they might handle their security issues very
differently."
Survey participants identified hackers, poor implementation of
security policies and lack of employee awareness as the greatest
areas of threat to their e-commerce systems. However it is more
likely that internal sources, such as disgruntled or former
employees or external service providers who have an established
relationship with the company, may commit the breach, or may supply
the information necessary to do so to someone else.
The survey also found that companies are failing to put in place
policies that could prevent and help prosecute e-commerce fraud.
Fewer than 35% of executives surveyed said that security audits are
performed on their e-commerce systems, and only half have incident
response procedures in place for when they do discover a
breach.
"The first thing most companies do when
there is a security breach is fix it right away so they can get
their e-system back up for business," said Inkster. "But they don't
realise they are destroying evidence and making it almost
impossible to recover assets or pursue legal action. It's like
cleaning a crime scene before dusting for fingerprints."
According to the survey:
- 86% of respondents consider themselves somewhat to very
knowledgeable about e-commerce
- Only 22% of companies have computer forensic response
guidelines
- Only 62% perform background checks on the entities that assist
them with the development, maintenance and/or administration of
their e-commerce system
- 9% have had a security breach in the last 12 months. Of those,
83% said legal action was not pursued
- 72% said their greatest concern was the risk of damage that may
be caused to their company's reputation as a result of a security
breach
Respondents said that security of credit card numbers and
personal information were by far the most important concerns to
their customers.
To prevent and detect e-fraud, KPMG recommends companies
implement a comprehensive security program often referred to as the
"onion" model, because of its many layers. The model includes the
use of encryption, firewalls, intrusion detection systems, incident
response procedures, including computer forensic response
guidelines, monitoring and external audits.
The survey was based on 1,253 responses from the largest public
and private companies in Australia, Belgium, Canada, Denmark,
Germany, Hong Kong, India, Italy, South Africa, Switzerland, the
United Kingdom and the United States.
