InformationWeek.com

Welcome Guest. | Log In| Register | Membership Benefits

August 31, 1998

Acceptable Risks

In the digital economy, security breaches are inevitable. The InformationWeek/PricewaterhouseCoopers global security survey reveals how E-commerce is raising the stakes, and how far companies will go to ward off intruders

By Gregory Dalton

InformationWeek Research Security Survey icon

Print this story

rganizations rushing to build information systems for all forms of digital commerce are realizing there's no fail-safe way to secure the free flow of data or money. It's like trying to protect the telephone system from prank callers, or trying to block spammers from clogging your messaging system.

Except it's often far worse. Organizations engaged in Web commerce, electronic supply chains, and enterprise resource planning experience three times the incidents of information loss and theft of trade secrets than everybody else. Revenue loss, though not prevalent, is seven times more likely to strike Web commerce sites compared with noncommerce sites.

These are two of the key findings of the 1998 InformationWeek/PricewaterhouseCoopers Global Information Security Survey fielded this summer in 50 countries and completed by 1,600 IT and security professionals.

About The Survey

InformationWeek welcomes a new partner to its annual security survey, PricewaterhouseCoopers, the world's largest professional services firm. The 1998 Global Information Security Survey comprises 1,600 mail and fax interviews with IT and information security professionals in 50 nations. The primary source of respondents was InformationWeek's subscriber list. The five-language study was conducted in June and July by London-based Kadence U.K. Ltd. The questionnaire was developed by InformationWeek editors in the United States and Europe, and PricewaterhouseCoopers Technology Risk Consultants.
-Rusty Weston, managing editor of research.

A keen awareness of an organization's increased exposure to internal and external dangers isn't enough to plug the gaps. The digital commerce sites experiencing the most attacks, including banks and financial services companies, are the same disciplined IT shops that also create information security policies, spend lots of money on security products such as firewalls and encryption, and institute policy training for IT staff and end users.

All of which points to an obvious business trade-off, especially for IT managers who want to open their enterprise to outside partners. "An extranet is a risk," says Enno Becker, director of technology infrastructure at the Forum Corp., a training and consulting company in Boston whose extranet is linked to three corporate customers. "You're creating a tunnel into another environment that you don't control. But the business benefits are too great to be ignored."

Defining what's an acceptable risk varies greatly from industry to industry. In retail, a 3% loss from online credit-card fraud might be tolerable, but in the chemical industry the same fraud loss might be considered a disaster. Such expectations not only drive security policies and spending, but they also influence experience.

Overall, 59% of sites selling products or services on the Web report at least one or more security breaches in the past year, compared with 52% of sites that may have a Web site but aren't using it for monetary transactions.

Sites with supply-chain networks or ERP applications are struck about 10% more often than sites without such applications, possibly because they have competitive intelligence available to plunder.

Information loss has occurred at 22% of firms conducting Web sales, but only 13% of companies not selling products on the Web say they have had the same experience.

Significantly, 12% of E-commerce sites reported theft of data or trade secrets, three times the number of companies not selling products via the Web.