Four of five large companies are comfortable with their Internet security, a survey finds, though half of them have adopted no e-commerce security policy.
Information Systems Audit and Control Foundation of Rolling Meadows, Ill., which commissioned the survey from the Deloitte & Touche accounting firm, reported that 81% of the 250 respondents said they are satisfied with their security practices. Only about half, however, had policies on e-commerce security, the firm said, and lack of such policies correlated with inadequate security measures.
"The providers of electronic commerce services are pretty comfortable with what they have," said Steven Ross, a director in the enterprise risk services practice at New York-based Deloitte & Touche.
Most of the companies said they have installed Secure Sockets Layer mechanisms to protect Web transactions and firewalls as a further safeguard, Mr. Ross said.
"But so much more could be done," he said. SSLs and firewalls were developed four to six years ago, and though they are "good enough, now is the time to expand," he added.
The advance of digital certificates and public key infrastructure, or PKI, could help. Digital certificates are being used "overwhelmingly" for identity-verification, Mr. Ross said. Coming soon are "permission-based certificates" that would permit other security functions, he said.
At the moment, PKI is "unwieldy, too complicated, expensive, and difficult to maintain," Mr. Ross said. He said he expects vendors to develop user-friendlier PKI technology. "As the product becomes simpler to use, it will become as commonplace as telephone numbers, and you won't even know it's there," he said.
"Banks, brokerage firms, and the military are moving ahead in security," Mr. Ross said. "With rapid changes in the Internet, people are developing applications with the expectation that the necessary infrastructure will be there when they get there."
Recent security breakdowns, including those at the CDUniverse Web site and the Internet bank X.com "were certainly foreseeable," Mr. Ross said. "What was breached was not the Internet but data bases on the other end."
He said Web security lapses at banks, brokerages, and insurance companies "are few and far between. No bank would leave its demand deposit accounts unprotected. But some start-ups don't pay attention to these things and leave themselves exposed."
Paul Williams, the London-based international president of Information Systems Audit and Control, pointed to security failures in the United Kingdom in which Web customers were able to view others' bank account information. And breaches at on-line stock trading companies in Britain have led to fraudulent trades.
"Incidents such as these all help to undermine public confidence both in the actual institutions affected and in electronic and on-line business generally," Mr. Williams said.
There was a consensus across industries in the survey group that Web commerce is low-risk. Compared with other industries, financial services organizations are more concerned about unauthorized disclosure of customer or corporate information than about the risk of unauthorized altering of information.