Increasingly complex security environment for business
From complying with proposed laws to check employees emails for national security risks to combating online fraud and espionage, Australian business has to operate in an increasingly complex and demanding security environment. National Affairs editor Ernie Davitt presents this report.
In the post 9/11 world, companies have had to deal with a plethora of national security countermeasures and legislation as well as responding to business security operating imperatives which demand action or risk ruin.
Developing risk management plans, securing IT systems from cyber attacks, identity theft and espionage and factoring in the impact of the loss of critical infrastructure have all become part of the modern CEO’s daily responsibilities.
Despite continuing global problems, Australians these days seem to be more worried about business security issues than terrorism and other national security problems.
The latest Unisys security index for Australia, published in May 2008, listed the top four areas of security concern for Australians as: unauthorised access to or misuse of personal information; other people obtaining credit card/debit card details; Australia’s national security in relation to war/terrorism; and computer security in relation to viruses or unsolicited emails.
The survey indicated the vast majority of Australians would not consider using their mobile phone or PDA to pay bills, shop or bank online, with less than 1 in 10 Australians saying they currently used these devices for online transactions.
The scale of the problem besetting business can be gauged in the recent actions of US Homeland Security chief, Michael Chertoff, who made an unusual but impassioned plea to global ICT security professionals.
Speaking at the RSA IT security conference in San Francisco, Mr Chertoff likened the threats posed to the US economy by cyber-criminals as being on par with the attacks of 9/11.
He said the US Government was taking threats to online services as seriously as the possibility of physical attacks on American soil.
Like the 9/11 attacks, which targeted American financial and political centres, cyber-crime, in the view of the Homeland Security Department, could weaken or disable elements of the country’s economy, he said.
Mr Chertoff surprised many delegates when he openly admitted that the US Government could not cope with the threat alone. He appealed to the US IT security industry to ‘send some of your brightest and best to do service in the government.’
Unable to compete with Silicon Valley in terms of salaries, Mr Chertoff appealed to the IT security professional’s sense of public duty. He announced that a leading IT security expert had already agreed to head up a new inter-agency unit which will raise the level of the fight against cyber crime.
Just how high is the fraud rate with business and private transactions through banks, building societies and credit unions in Australia? According to figures from the Australian Bankers Association (ABA), the fraud rate is falling.
In the year 2006 alone, 448 million cheques were written in Australia totalling $1.7 trillion, with a fraud rate of 1.9 cents per $1000. There were 1.8 billion credit card transactions worth over $186 billion with the rate of fraud equalling 7.7 cents per $1000.
There were 1.8 billion debit card transactions, with a value of $186 billion. In dollar value, the rate of fraud fell from 8.2 cents to 7.7 cents in every $1000.
In terms of credit and charge cards, there were 1.6 billion credit card transactions on Australian-issued cards, with a value of $230.7 billion. The rate of fraud fell from 38.9 cents to 36.9 cents in every $1000.
Australian Bankers Association Chief Executive, David Bell, says the industry takes fraud very seriously and bank employees are on secondment to the Australian High Tech Crime Centre within the Australian Federal Police.
He said Australian Payments Clearing Association’s (APCA) data shows that the incident rate of fraud is very low for the Australian financial institutions relative to the billions of transactions that occur through the payments system every year.
“Fraud rates are also low in dollar terms compared to the United Kingdom. This low rate can be attributed to the safeguards which Australian banks use to protect their customers’ accounts.
“Total fraud in dollar value terms for financial institutions has come down slightly from APCA’s first report (12 months to 30 June 2006) from 6.8 cents to 6.3 cents in every $1000.”
Mr Bell said banks used a combination of safeguards to protect customer information such as employee training, privacy policies, security and encryption systems.
“Banks have systems in place to constantly monitor transactions and if a transaction is identified as suspicious, it will be investigated to ensure there is no breach of security. Occasionally, this may involve a bank staff member contacting you to verify a transaction,” he said.
Mr Bell emphasised that bank customers were protected from loss in genuine fraud cases.
“Account holders are not liable for losses resulting from unauthorised transactions where it is clear that user has not contributed to the loss,” he said.
“There is usually an investigation by the bank to determine how the fraud has occurred.
“Banks are continuing to seek out security enhancements especially for online banking such as an on-screen keypad which is designed to prevent the incidence of keystroke logging fraud by removing the need for a keyboard to enter in passwords.
“Others are offering what’s called two-factor authentication. An example of one-factor authentication is the use of a password to enable access to Internet banking.
“There are several ways that two-factor authentication can be offered to the customer. It can be completed through a SMS payment security service, which sends a unique code via SMS to a customer's mobile phone to authorise online payments.
“Customers have already logged on to Internet banking using a password and then need to enter the SMS code before they can finalise the online payment.
“Two factor authentication can also be offered through a device known as a security token that looks like a pager. It is a device issued as a credential. A token is likely to include security features that render it difficult to forge, and tying it in some manner with the particular entity - in this case the bank that issues it.
“To log on to Internet banking the customer uses their password and then the number generated by the token, which is then keyed in at the desktop to enable access to an Internet banking session.”
Law enforcement agencies and governments around the world are concerned about a rising trend of targeted espionage attacks by criminal groups aimed at not only shutting down vital government internet services but, in some cases, the Internet itself.
Economists worldwide recently expressed concern that a one day ‘blackout’ of the Internet would have a major impact on the global economy.
According to a recent survey by the international Chamber of Commerce (ICC) and the Ifo Institute for Economic Research, economists were asked to predict the impact on their country’s economy if the Internet completely shut down for a day worldwide. A total of 1004 responses from economists in 90 countries was received.
In almost all regions of the world, including Australia, economists polled said businesses would suffer major losses and costly damage which would have huge and lasting effects.
Concerns were especially pronounced in places where Internet penetration is highest, including the US and Western Europe, particularly in Denmark, Sweden, Finland and Switzerland, and in several Asian countries, including Japan, Taiwan, Thailand, India and Pakistan.
In contrast, in the CIS countries covered by the survey – Russia, Ukraine, Kyrgyzstan and Kazakhstan – the majority of polled economists stated that a day-long shut down of the Internet would lead to short-term delays but that the economy would not be considerably damaged.
“Business, governments and people depend on the Internet for such a large number of their activities today. We must prioritize the secure and stable functioning of the Internet,” said Herbert Heitmann, Chair of the ICC’s Commission on Electronic Business, IT and Telecoms (EBITT).
Mr Heitmann, who is also Chief Communications Officer for business software maker SAP AG, said: “Ensuring there are appropriate policy, legal and regulatory frameworks is essential to preventing economic loss, and disruption of peoples’ lives while still maximizing the opportunities the Internet represents.”
Four undersea communication cables were cut during a one week period at the end of January, providing real-life examples of the massive losses which can occur when Internet service is interrupted.
The cuts caused a dramatic breakdown in Internet access in much of the Middle East, with India, the US and Europe also experiencing slowdowns. The cuts wreaked major damage to the Internet backbone despite back-up routers and raised questions about the safety of the oceanic network that handles most of the world’s Internet and telephone traffic.
More than 80 per cent of economists who participated in the ICC/Ifo survey also agreed that Internet related policies should be crafted with the input of all concerned stakeholders – business, government, civil society and technical experts.
“It takes adherence to good practices. It takes the experience of all stakeholders to develop and implement policies and frameworks that are put in place nationally. It must be a collaborative effort on policy and in practice,” Mr Heitmann said.