Forwarded From: phreak moi <hackerelite@deathsdoor.com>
http://www.news.com/News/Item/0,4,25906,00.html?st.ne.fd.gif.j
E-commerce causes security woes
By Tim Clark
Staff Writer, CNET News.com
September 1, 1998, 4:00 a.m. PT
The spread of e-commerce applications within corporations is increasing
the risks of losing revenue or vital information to attackers, a new study
of IT professionals indicates.
In a survey of nearly 1,600 IT executives from 50 nations, 73 percent
reported some security breach or corporate espionage in the past 12
months, according to a survey by PricewaterhouseCoopers and
InformationWeek.
But firms conducting business through their Web site or implementing
electronic supply chains or Enterprise Resource Planning (ERP)
applications are more likely experience a security breach that affects
revenues and corporate data.
"You can control informational Web sites much easier than you can real
live transactions," said Bruce Murphy, a partner at
PricewaterhouseCoopers. "[For e-commerce sites,] you have to authenticate
people, [and] real money is flowing with linkages to core technology
environments supporting the business. Whole sales and marketing databases
may be linked to transactions."
Not only is the data more sensitive, but also linking to back-end
databases is more complex, potentially creating more entry points for
attackers.
Of companies selling products or services on their Web sites, 59 percent
reported at least one security breach in the past year. That compares to
52 percent of companies that have Web sites but aren't using them for
monetary transactions.
Survey respondents included 322 firms that conduct e-commerce from their
Web sites and 1,118 that had Web sites but didn't sell from them, said
Rusty Weston, managing editor of research for InformationWeek magazine,
which jointly commissioned the survey with PricewaterhouseCoopers. Most
responding companies have more than 100 employees.
For e-commerce sites, 22 percent reported loss of information, 12 percent
experienced theft of data or trade secrets, and 7 percent lost revenues.
For sites that didn't sell anything, the figures are 13 percent, 4
percent, and 1 percent, respectively.
The biggest threats remain internal, the survey found. Respondents said
authorized employees were believed responsible 58 percent of the time,
unauthorized employees 24 percent, and former employees 13 percent.
Hackers or terrorists comprised another 13 percent, while competitors
accounted for 3 percent.
Although 56 percent of those surveyed said information security was a high
priority, only 19 percent have a complete security policy. Just less than
half (49 percent) admitted they don't know whether weak security caused
them a monetary loss.
"The level of effort that people are expending on security continues to be
underwhelming," Murphy said. "People still think it's going to happen to
somebody else, not to them. What we found is that people aren't adequately
up to the challenge. Across the board, they are not consistently taking
measures that they need to."
Often business pressures to get a transactional Web site running
overshadow security issues.
"People will spend more to chase revenue than to protect revenue," he
said. "Security is frequently a casualty of that."
The survey was conducted in June and July by British research firm Kadence
UK, which asked survey questions from PricewaterhouseCoopers and
InformationWeek five languages. The survey's margin of error is between
3.8 and 8 percent.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue Sep 1 22:28:24 1998
