Online Security Problems: Too Much Hype, or Too Much Complacency?

Catalyst

Aug 18, 2000, "Behind the Headlines" discussion on silicon.com titled "Media Blamed for Over-Hyping Security" http://www.silicon.com/a39168

Question

Are the recent online security scares in the UK being over-hyped, or is there reason for concern?

Answer

Ecommerce in the UK could be suffering undue setbacks as the result of the media over-hyping online security scares - this appeared to be the consensus of the panellists at the 18 August 2000 Behind the Headlines discussion on silicon.com.

However, in Giga's view statements such as "the incidence of occurrence is quite small - 90 per cent of organisations have their act together", and claims that it was actually more like 99.8 per cent of organisations that had adequately addressed online security, are missing a crucial point. The fact remains that recent security breaches attracting high profile interest in the press not only involved some of the UK's best-known and established companies, but they were frequently handled in a less than confidence-inspiring manner.

The following factors combine to justify customers' continued caution toward doing business online:

* Some of Britain's largest and most respected (and by implication, most trusted) organisations are ending up in the headlines. Not unreasonably, customers will have their doubts about companies with smaller IT budgets and less experience.

* In several instances, the errors that led to customer data being exposed online (including addresses and credit card details) were likely also very basic ones, such as not ensuring that administrator functions on well-known scripts were not publicly accessible, or storing (unencrypted) data in openly available directory structures. To the IT-literate, this suggests that there may not only be an insufficient level of expertise on the part of those programming sites, but also insufficient management control to ensure that problems are caught before a site goes live.

* Our own anecdotal evidence suggests that the incidence of online security issues is considerably higher than the 0.2 per cent to ten per cent hinted at by the panellists in silicon.com's discussion. For example, many users (this analyst included) have inadvertently circumvented site security through a series of random mouse clicks in their attempt to find something.

* Companies' reactions to these security scares have, in many instances, contributed to increased consumer suspicion about online security. Initial denials and aggression toward those reporting incidents not only provide ready fodder for sensationalist headlines, but they further reduce customer confidence in the company involved, as well as ecommerce in general.

There are times, however, when the press can justifiably be accused of not helping the ecommerce cause. In a recent instance, for example, a UK online bank was described as having been the victim of "hacking", when, in fact, online security as such had not been compromised.

Conclusion and Recommendations

The catalyst for this piece may have been UK-specific, but the wider issue is not. No doubt, online security scares are sometimes over-hyped, and many statements made in the heat of going to press (or online, or on the air) may later turn out to be untrue or inaccurate. But as long as we see repeated instances, such as customers being able to view other customers' accounts, or entire databases being exposed to the world, the issue of online security deserves to be aired publicly.

As far as the organisations doing business online are concerned, we have the following recommendations. None of these points are new, but until the intervals between online security incidents increase (especially those that do not even require an actual 'attack' on a site), we feel we have to continue emphasising these points:

* Avoid the temptation of rushing an online project, be it a new website, or an updated site. Many of the incidents we have observed may well have been prevented if more time had been taken during software development and/or integration.

* Make sure the specification for the online application caters for the capture, storage and retrieval of personal data in a manner that minimises the risk of such data being accessed by unauthorised persons.

* In countries where data protection legislation exists, ensure that all laws are complied with. Bear in mind that a security breach can also lead to a lawsuit in such countries, since organisations will have to be able to prove that they have done their utmost to prevent personal data from falling into the wrong hands.

* Ensure the technical staff working on the project (whether internal or external) have the appropriate skills and credentials.

* Test, test, and test again. And make sure to include tests that represent a realistic maximum load of your system - some of the recent security issues only emerged when activity on the site reached a particular level.

* Have a clear communication (and damage limitation) strategy in place in the event that a security breach does occur. Be honest and open - experience has shown that companies that are pro-active in their communications are less at risk of damaging their reputation and brand than those that try to hide behind denials and evasive statements, let alone threats to the customer reporting the security loophole. Put the issue in perspective, but don't try to belittle it.

* Make sure that you designate staff to liaise with the media, and give them media training. Many organisations' IT managers are not used to having to face the press, with sometimes unfortunate consequences.

Educate consumers by reassuring them about the security measures you have taken for your site (without obviously giving away the level of detail, which, in turn, would make it easier to breach security), and by putting into perspective, where appropriate, stories that have truly been over-hyped, or reported wrongly, in the press.

by Martha Bennett, Giga Information Group