India Tops Global e-Com Breaches: KPMG

Indian companies have achieved the dubious distinction of the highest number of e-commerce security breaches in the world, according to a global study by KPMG.

"As e-commerce revolutionises business, it also revolutionises business fraud," says the survey which found that 23 per cent of Indian firms had experienced security breaches, with Britain coming joint second with Germany at 14 percent in the year 2000.

However, what is more disturbing is the strong possibility that these figures are understated due to the high volume of breaches which go unreported by companies more worried about their reputation, says the 2001 global e.fr@ud survey. The survey was conducted in 1,253 public and private companies in 12 countries -- Australia, Belgium, Canada, Denmark, Germany, Hong Kong, India, Italy, South Africa, Switzerland, the United Kingdom and the United States -- by KPMG Forensic Accounting, a European fraud team including ex-police officers, forensic accountants, forensic technology specialists including data mining consultants and fraud risk management specialists. Of the 1,253 respondents, 33 were Indian.

The respondents cite hackers as being one of the greatest threats to their e-commerce systems, along with poor implementation of security policies and lack of employee awareness. KPMG says, however, that unhappy present or former employees are far more likely to attack a firm’s systems.

The threats could be to the security of their online systems, the system availability (risk of denial of service attacks), confidentiality of customer and company information and maintenance of the integrity of this data. Seventy-two percent of Indian respondents rate the threat of a security breach over their internal systems as high.

According to the respondents, security of credit card numbers and personal information are by far the most important concerns to their customers. Yet, over 65 percent firms admitted that they do not run security audits on their e-commerce systems. Only 50 per cent have incident response procedures in place in case a breach occurred and 83 percent of firms who had experienced a security breach had not even taken legal action.

Seventy two per cent companies say they are reluctant to report security breaches for fear of damaging their reputation, preferring to sweep it under the carpet, dealing with it as an internal matter away from public scrutiny.

Also, 38 per cent fail to perform background checks on the entities that assist them with the development, maintenance and/or administration of their e-commerce systems. Almost 70 per cent of Indian firms conduct background checks on e-commerce systems suppliers.

The survey results indicate executives can be misinformed about the actual vulnerabilities of their network systems because of poorly trained and/or poorly qualified system administrators, poor reporting procedures for security breaches, or dishonest employees.

Confirming the report, KPMG senior manager Mr Anil Roy said that Indian companies are in a "honeymonn phase" just excited about what IT can do for them, rather than what are the downsides.

"Most companies are not familiar nor appreciate security in IT environment and thus there are a lot of break-ins," Mr Roy said.

However, though quantitatively India might be on the higher side, qualitatively in monetary terms, it's not as bad as in the West, he said. "But, again it's difficult to quantify the loss because of efrauds and computer break-ins," he added.

Agrees Mr Arjun Mukherjee, Seranova's chief tech architect. "The high number of breaches are because of dearth of high-end network consultants and experts in the MIS of companies. There is no established policy as to transfer of digital information from and to the company. There is a lack of fear and a nonchalant attitute until brutally hacked. Companies do not have established and dynamic security policy," Mr Mukherjee said.

The situation is, however, improving. KPMG's Information Risk Management (IRM) Practice is advising, planning and implementing and reviewing of security-related projects for hundreds of clients, says Sanjay Dhawan, head of the IRM.

"More and more companies are realising the importance of securing information assets, though how it needs to be addressed is still a peculiar issue for clients," Mr Dhawan added.

"The solutuion lies in a combination of awareness and policy measures. There needs to be a tight control mechanism with regard to access to information within the organisation. Moreover, it might be very easy theoretically to say companies need to report security breaches without the fear of reputation being spoilt, yet the least they ought to do is have security audits," Mr Mukherjee added.