With e-commerce taking a 17% share of the UK retail market and growing at 15% year on year, Teiss guest blogger David Gibbs from Knight Frank Investment ponders the threats this brings to business.
We have reached a new paradigm in the way we conduct our business by gaining leverage from the e-commerce world. Using e-commerce technology has many business and cost benefits over traditional methods of operation.
However, the more organisations embrace e-commerce, the more they are challenged with their security. The benefits we enjoy of convenience, low cost and high speed are now being exploited by organised crime. The cost to commit e-commerce fraud is low (log-in details for a gmail account can be bought for as little as $1 while you can use someone else’s Uber account for $2) and the payback can be massive. Organisations must take steps to protect their customers and preserve trust and integrity in the on-line market place. For many organisations, and indeed the general public, many of the threats are not fully understood and are communicated for most part by headlines in our National Press.
Given the growth in phishing,  distributed denial of service (DDOS) attacks,  money laundering, and aggressive virus attacks, information security has become one of the most important issues facing companies who need to protect their assets, brands, organisational stability, and integrity in an e-commerce enabled world.
These problems demand a greater understanding of the threats and vulnerabilities to which organisations are exposed in order to identify and address the “pressure points” particularly as the security boundaries in a Business to Business environment are increasingly difficult to determine.
Flaws, features and errors
The UK Government’s 2016 Information Security Breaches Survey , found that 65% of large companies had reported a security breach, and a quarter of these experienced one at least every month. These findings are supported by almost daily stories of large scale cyber incidents, such as the Gameover ZeuS botnet, the Tesco Bank frauds and the Sports Direct hack. As Robert Hannigan, Director of GCHQ says in his 2015 foreword to the republished 10 Steps to Cyber Security, “In GCHQ we continue to see real threats to the UK on a daily basis, and I’m afraid the scale and rate of these attacks shows little sign of abating.”
Vulnerabilities provide the opportunities for attackers to gain access to our systems. They can occur through flaws, features or user error, and attackers will look to exploit any of them, often combining one or more, to achieve their end goal. A flaw is unintended functionality. This may either be a result of poor design or through mistakes made during implementation. Flaws may go undetected for a significant period of time. The majority of common attacks we see today exploit these types of vulnerabilities. In the last twelve months nearly 8,000 unique and verified software vulnerabilities were disclosed in the US National Vulnerability Database (NVD).
Computers are like “crowbars”: they are just a tool and in the wrong hands they can be a tool of terror. Will tomorrow or maybe next week bring a massive virus enabled terrorist attack on the Internet and its users? Food for thought!
Securing the end user
An organisation’s integrity relies on a holistic approach to minimising the vulnerabilities to external threats and often information security is seen as solely an IT issue. However in reality, all employees are responsible and an essential ingredient to managing down risk within a company is to ensure that all staff are fully aware of the threats and vulnerabilities associated with security, their individual responsibilities regarding security, and the consequences of non-compliance – both personally and for the organisation.
Users can be a significant source of vulnerabilities. They make mistakes, such as choosing a common or easily guessed password, or leave their laptop or mobile phone unattended. Even the most cyber aware users can be fooled into giving away their password, installing malware, or divulging information that may be useful to an attacker (such as who holds a particular role within an organisation, and their schedule). These details can allow an attacker to target and time an attack appropriately.
A strategic challenge
All successful organisations depend on information for their business processes. Information processing technology is revolutionising the world, but organisations must be aware of the security challenges that are inherent with e-commerce. If not addressed, a security breach could have a significant adverse impact on an organisations reputation. However while information security is generally taken seriously by Board Members, there is a significant variation in the level of risk that those executives perceive impact on their organisations. And where the perception is that risk levels are low, the level of Board oversight is likely to be correspondingly low.
Risk and Information Security are strategic issues and as such, can create competitive advantage and improve shareholder value.
 On-line fraud phishing attacks; Use spoof e-mails and fraudulent websites which are designed to dupe the recipients of the distributed e-mails into divulging their personal details and financial data, such as their credit card number, bank account user-name and password. This type of on-line fraud is growing fast as it is easy to carry out and is often perpetrated by organised criminals.
 Distributed denial of service attacks; DDOS attacks still remain one of the most newsworthy, if not the greatest, weakness of the Internet. It is an attack in which a multitude of compromised systems attack a single target thereby causing denial of service /denial of business for the users of the targeted systems.
David Gibbs is the Compliance & Risk Officer for Knight Frank Investment Management.
He has over 30 years’ experience in the financial sector within the UK and Europe. David has a Masters in secure e-commerce, gained at the Royal Holloway University of London, and expertise in compliance, anti money laundering, operational risk and information security, which he has applied within BACS, Barclays Investment Management, International Financial Data Services, ING Real Estate Investment Management and Coutts Investment Office.
David is authorised by the FCA as CFIO (Compliance Oversight) and CFII (Money Laundering Reporting Officer).