E-commerce causes security woes

The spread of e-commerce applications within corporations is increasing the risks of losing revenue or vital information to attackers, a new study of IT professionals indicates.

In a survey of nearly 1,600 IT executives from 50 nations, 73 percent reported some security breach or corporate espionage in the past 12 months, according to a survey by PricewaterhouseCoopers and InformationWeek.

But firms conducting business through their Web site or implementing electronic supply chains or Enterprise Resource Planning (ERP) applications are more likely experience a security breach that affects revenues and corporate data.

"You can control informational Web sites much easier than you can real live transactions," said Bruce Murphy, a partner at PricewaterhouseCoopers. "[For e-commerce sites,] you have to authenticate people, [and] real money is flowing with linkages to core technology environments supporting the business. Whole sales and marketing databases may be linked to transactions."

Not only is the data more sensitive, but also linking to back-end databases is more complex, potentially creating more entry points for attackers.

Of companies selling products or services on their Web sites, 59 percent reported at least one security breach in the past year. That compares to 52 percent of companies that have Web sites but aren't using them for monetary transactions.

Survey respondents included 322 firms that conduct e-commerce from their Web sites and 1,118 that had Web sites but didn't sell from them, said Rusty Weston, managing editor of research for InformationWeek magazine, which jointly commissioned the survey with PricewaterhouseCoopers. Most responding companies have more than 100 employees.

For e-commerce sites, 22 percent reported loss of information, 12 percent experienced theft of data or trade secrets, and 7 percent lost revenues. For sites that didn't sell anything, the figures are 13 percent, 4 percent, and 1 percent, respectively.

The biggest threats remain internal, the survey found. Respondents said authorized employees were believed responsible 58 percent of the time, unauthorized employees 24 percent, and former employees 13 percent. Hackers or terrorists comprised another 13 percent, while competitors accounted for 3 percent.

Although 56 percent of those surveyed said information security was a high priority, only 19 percent have a complete security policy. Just less than half (49 percent) admitted they don't know whether weak security caused them a monetary loss.

"The level of effort that people are expending on security continues to be underwhelming," Murphy said. "People still think it's going to happen to somebody else, not to them. What we found is that people aren't adequately up to the challenge. Across the board, they are not consistently taking measures that they need to."

Often business pressures to get a transactional Web site running overshadow security issues.

"People will spend more to chase revenue than to protect revenue," he said. "Security is frequently a casualty of that."

The survey was conducted in June and July by British research firm Kadence UK, which asked survey questions from PricewaterhouseCoopers and InformationWeek five languages. The survey's margin of error is between 3.8 and 8 percent.