Your services can now be accessed by customers around the world. But make sure you stay one step ahead of the cybercriminals. By Isabel Choat
Before you rush headlong in to e-commerce it is worth knowing about the downside to this brave new world. A new report by the International Chamber of Commerce, Cybercrime Risk & Response Executive Review, warns, “In the race to embrace e-commerce most companies fail to recognise that this is a new medium, the risks of which are not fully understood.”
To date most media reports of cybercrime have focused on teenage whizz kids who have hacked into large corporations, or major viruses, such as Melissa. Vulnerability detection software, such as Internet Scanner by US firm ISS, allows companies to test how well their systems cope with such like threats, and organisations should consider incorporating this type of package into their systems.
Credit card checks
But the real threat to businesses embarking on e-commerce projects is the age-old problem of fraud. Surveys show that computer fraud is on the increase. One of the largest software companies in the world reported recently that it receives an average 20,000 attacks every day.
“Most attacks are not technically sophisticated and it is clear that they occur largely because basic controls are absent,” states the report by the ICC, which this month launched a special unit to identify and combat cybercrime.
The Internet is a haven for credit card fraudsters and one basic control businesses should put in place is a credit card validity programme that will check and verify credit cards in real time.
There are numerous opportunities, during an on-line transaction for example, when credit card details can be stolen. “You don’t have to be a genius hacker to get hold of credit card details during a transaction, you just have to know how to sit and watch the traffic,” says Phil Ryan, a consultant at Internet security firm Peapod UK.
A better target for organised criminals is a database of credit card details. This is a trickier but more fruitful crime. While the theft of credit card details will not have a direct impact on the e-tailer, Ryan nevertheless believes businesses have a moral obligation to protect their customers from theft, and recommends that all web sites have a Secure Locket Layer to ensure credit card details are transmitted in code.
“Most Web browsers and servers have this facility built into them, it is just a matter of knowing how to use it. We also advise companies to only keep credit card details for a short time to minimise the risks of fraud,” says Ryan.
Another common problem for on-line businesses is Web tampering – something the Labour Party fell victim to in the run up to the general election when an image of Tony Blair’s face was replaced with his spitting image puppet. While this type of activity is usually mischievous rather than criminal, it does nothing for an organisation’s reputation.
Web “spoofing”, on the other hand, can be more damaging. It is relatively easy to set up a fake web site using an existing corporate logo, diverting business away from the legitimate site. Again this will be detected quickly, but probably not before consumers have started placing orders with the spoof site.
Some risks can be minimised with the use of intrusion detection software, designed to prevent outside parties from entering the system and making harmful changes to your web site or system.
“Intrusion detection software watches traffic coming into the web site and alerts the system administrator when it detects suspicious activity. It is the same principle as high street stores hiring security staff but, unlike people, the software is vigilant 24 hours a day, and cannot be bribed,” says Ryan.
While attacks from outside can cause considerable damage to your business, any organisation that considers only external threats is in for a nasty shock. According to Peter Yapp, director of the forensic department at security firm Network International, employees pose a far greater risk than agents.
“In our experience, employees commit 70 per cent of all frauds and 80 per cent of all IT breaches, abuses and misuses are carried out internally,” Yapp says.
This is just as true of industrial espionage. Hacking into a system from outside to steal client databases or research is technically difficult and time consuming. Smuggling data out from inside on the other hand is relatively easy, and when millions of pounds worth of business is at stake, it is worth putting in place some measures to safeguard against such risks.
Surveillance tools, such as Session Wall, enable organisations to sniff out pre-defined messages. For example, a firm may tell the software to look out for e-mails going from the research department to particular company domain names. It can also spot inadvertent mistakes, which can be just as damaging.
But while the IT experts may be responsible for putting in place appropriate electronic security measures, it is up to human resources to ensure the right people are handling the work.
Chairman of risk mitigation firm Kroll Europe, Tommy Helsby, warns that it is not just your employees you should be selecting and monitoring carefully.
“You may have good pre-employment procedures, but then have all these consultants coming into the office who have no loyalty to your company, and who often work out of hours.
“HR has a role is to ensure these people need to be subject to as much scrutiny as employees, including doing background checks,” he says.
Legally, the most recent development is the Electronic Communications Bill, which comes into force later this year but is mainly concerned with electronic signatures as opposed to criminal activity. In March the Data Protection Act comes into force bringing with it a host of new challenges for employers. In terms of e-commerce, companies need to ensure they are storing and protecting customer details without breaching law.
The biggest problem facing potential e-businesses is the global nature of e-commerce. Crimes are not always committed within the jurisdiction of the target company, creating issues around whether a criminal can be prosecuted or not. But this may change. One of the aims of the ICC’s new cybercrime unit is to encourage law enforcement agencies to work more closely together and to harmonise legislation to combat this modern day menace.