Executives from some of the world’s largest companies may be unaware about where the real vulnerabilities lie in their network systems, reveals a global e-fraud survey released recently by KPMG, the global network of professional service firms. Seventy-nine percent of CEOs, CIOs and other senior management from public and private companies in 12 countries said they believed that a breach in their e-commerce system would most likely be perpetrated through the Internet or other external access, according to the 2001 Global e.fr@ud.survey. It is well documented, however, that the greatest risk is from internal perpetrators. If senior management understood this fact, says KPMG, they might handle their security issues very differently.
Survey participants identified hackers, poor implementation of security policies, and lack of employee awareness as the greatest areas of threat to their e-commerce systems. However it is more likely that internal sources, such as disgruntled or former employees or external service providers who have an established relationship with the company, may commit the breach, or may supply the information necessary to do so to someone else.
The survey also found that companies are failing to put in place policies that could prevent and help prosecute e-commerce fraud. “The first thing most companies do when there is a security breach is fix it right away so they can get their e-system back up for business,” said Norman Inkster, president of KPMG Investigation & Security Inc. in Canada and chair of KPMG’s International Forensic Accounting Committee. “But they don’t realize they are destroying evidence and making it almost impossible to recover assets or pursue legal action. It’s like cleaning a crime scene before dusting for fingerprints.”
According to the survey:
- 86% of respondents consider themselves somewhat to very knowledgeable about e-commerce.
- Only 22% of companies have computer forensic response guidelines.
- Only 62% perform background checks on the entities that assist them with the development, maintenance, and/or administration of their e-commerce system.
- 9% have had a security breach in the last 12 months. Of those, an astonishing 83% said legal action was not pursued.
- 72% said their greatest concern was the risk of damage that may be caused to their company’s reputation as a result of a security breach.
- Respondents said that security of credit card numbers and personal information were by far the most important concerns to their customers.
To prevent and detect e-fraud, KPMG recommends companies implement a comprehensive security program often referred to as the “onion” model because of its many layers. The model includes the use of encryption, firewalls, intrusion detection systems, monitoring, external audits, and incident response procedures including computer forensic response guidelines.
Results of KPMG’s 2001 Global e.fr@ud.survey are based on 1,253 responses from the largest public and private companies in Australia, Belgium, Canada, Denmark, Germany, Hong Kong, India, Italy, South Africa, Switzerland, the United Kingdom, and the United States. The survey results were similar among companies throughout the world, in both developed and developing countries, indicating that national and geographic boundaries matter little when it comes to fraud in the global electronic marketplace.
Based on a report from KPMG
