Seventy-nine percent of CEOs, CIOs and other senior management from public and private companies in 12 countries said they believed that a breach in their e-commerce system would most likely be perpetrated through the internet or other external access, according to the firm’s “2001 Global [email protected]”. KPMG says it is well documented, however, that the greatest risk is from internal perpetrators.
"Most security breaches are committed by individuals who possess intimate knowledge of the systems they are attacking," said Norman Inkster, president of KPMG Investigation & Security Inc. in Canada and chair of KPMG's International Forensic Accounting Committee. "If senior management understood that, they might handle their security issues very differently."
Survey participants identified hackers, poor implementation of security policies and lack of employee awareness as the greatest areas of threat to their e-commerce systems. However it is more likely that internal sources, such as disgruntled or former employees or external service providers who have an established relationship with the company, may commit the breach, or may supply the information necessary to do so to someone else.
The survey also found that companies are failing to put in place policies that could prevent and help prosecute e-commerce fraud. Fewer than 35% of executives surveyed said that security audits are performed on their e-commerce systems, and only half have incident response procedures in place for when they do discover a breach.
"The first thing most companies do when there is a security breach is fix it right away so they can get their e-system back up for business," said Inkster. "But they don't realise they are destroying evidence and making it almost impossible to recover assets or pursue legal action. It's like cleaning a crime scene before dusting for fingerprints."
According to the survey:
Respondents said that security of credit card numbers and personal information were by far the most important concerns to their customers.
To prevent and detect e-fraud, KPMG recommends companies implement a comprehensive security program often referred to as the "onion" model, because of its many layers. The model includes the use of encryption, firewalls, intrusion detection systems, incident response procedures, including computer forensic response guidelines, monitoring and external audits.
The survey was based on 1,253 responses from the largest public and private companies in Australia, Belgium, Canada, Denmark, Germany, Hong Kong, India, Italy, South Africa, Switzerland, the United Kingdom and the United States.