Business security risks from e-commerce on the rise

Wednesday, 11 June, 2014

The exponential growth in mobile e-commerce will leave Australian businesses critically exposed to the soaring risk of data breaches unless they dramatically ramp up their focus on IT security, says consulting firm Protiviti.

“In 2013 alone, almost 300 billion mobile transactions worth more than $930 billion were processed. By 2015, the number of mobile apps developed for smartphones and tablets will outstrip PC-based software four times over, pushing transaction volumes to even greater heights,” said Chris Grant, managing director at Protiviti. “And by 2016 more than half of the world’s top 1000 companies will be storing sensitive customer data in the cloud.

“The rapid shift from desktop to mobile internet services and from traditional data centres to the public cloud will open up a whole new world of security vulnerabilities for businesses that are unprepared for the risks.”

The recent data breach suffered by eBay, resulting in the theft of personal information of 145 million customers, is a timely reminder that cybercriminals are becoming increasingly sophisticated and are able to deploy highly effective and destructive hacking tools to compromise even the largest corporations.

Poor record

According to Grant, Australian businesses unfortunately have a poor record in resisting cyberattacks.

In 2013, Australian companies had data breaches that resulted in the highest average number of compromised records per capita (34,249). Australia also ranked second after Germany, on the list of countries most likely to experience a data breach from malicious or criminal attack - the most costly breach category for companies. (Ponemon Institute 2013 Cost of Data Breach Study.)

“Despite these threats, many businesses remain dangerously complacent about their exposures and continue to seriously under-invest in IT security,” Grant said. “Australian companies typically allocate only 1-2% of their IT budget to security, even though benchmarking from reputable organisations like Gartner recommends a minimum spend of at least 2-7%, depending on factors such as regulatory requirements and individual risk factors.”

He also observed that while companies had several data breach strategies at their disposal, the critical first step was to understand their customers’ behaviour.

“Companies first need to know how consumers behave when it comes to online security and adopt systems that help protect their customers from themselves. It’s well known that consumers tend to let their guard down particularly on social media by readily accepting contact offerings, sharing files or clicking on links from people they don’t personally know - even though these behaviours greatly increase their chances of malware infections, identity theft and the like,” Grant said.

Multilayered defence

Grant commented that to effectively combat complex and high-stakes e-commerce risks, companies were advised to adopt a multilayered ‘defence in depth’ strategy.

“A defence in depth approach involves a coordinated use of multiple IT security measures to protect the organisation’s information assets. Because the source of a cyberattack can be unpredictable, you need to be set up so if one security measure is infiltrated there are fallbacks that can continue to hold the fort,” Grant explained.

“And to be effective, those integrated measures must protect the business on all essential fronts. These include having robust server and application security which should include a clear policy for when it’s appropriate to use the cloud. Also critical are message confidentiality and integrity measures so that communications between transacting parties are private and not able to be tampered with, and authentication and authorisation protocols so that parties are properly identified and authorised to make the relevant transactions.

“Sound audit controls should also be implemented so that breaches or other unauthorised activities can be quickly detected. And lastly, payment processing and settlements need to be secure and compliant with the Payment Card Industry Security Standards which protect against credit card fraud.

“The explosion in mobile e-commerce presents both opportunities and threats for Australian businesses. The companies that succeed will be those that invest adequately in IT security and have a robust, multidimensional security strategy to deter the hackers at the gate,” Grant added.

Image courtesy Tomas Sienicki under CC.