A new survey warns that UK e-commerce is being stifled by rising
crime and consumer caution about buying goods on the Internet
The Confederation of British Industry (CBI) is urging businesses
and the Government to take action following new research which
warns that cybercrime is damaging the take-up of e-commerce in the
UK. The threat from hackers, computer viruses and computer-related
fraud is deterring businesses from using the Internet to sell
directly to the public, the research claims.
Two-thirds of businesses have reported serious computer crime
incidents in the past 12 months and nearly 60% predict that
cybercrime will become more of a problem in the future, the survey
of 154 organisations shows.
The CBI's findings reveal that the greatest risks come not from
business-to-business transactions, but from e-commerce directed at
the consumer. Although half of the companies questioned believe
that the Internet is safe for B2B transactions, little over 30%
believe it is safe for B2C transactions.
The fear of fraud is putting off companies from trading over the
Internet and stopping consumers from buying. Figures released last
week by the Association of Payment Clearing Services (Apacs)
support the CBI's findings. They show that less than 1.5% of all
credit and debit card purchases were made on the Internet last
year. Apacs expects the figure to increase only slightly next
year.
"Fears about potential financial losses and damage to reputation
from cybercrime are stalling the growth of e-business, especially
for B2C transactions. That will only come when all parties are
reassured that adequate security is in place to protect them," said
Digby Jones, director-general of the CBI.
The survey suggests that SMEs in particular - the mainstay of the
UK's economy - are shunning the Internet. Although 70% of large
firms with more than 10,000 staff are selling on the Internet, the
figure drops to 20% of firms with less than 500 staff.
For all organisations, the amount of business conducted on the Web
is disappointingly small. Nearly 80% said e-business accounted for
less than 5% of their total revenues. And 40% are making no money
from the Web.
This is partly due to a lack of resources, but the CBI believes
that cybercrime is also a factor. The Internet is now the biggest
source of risk for most firms questioned, overturning the
conventional wisdom that 80% of security problems are caused by
insiders.
For most companies, the risk is not so much the financial impact of
cybercrime but the damage it can do to a company's reputation.
Adverse publicity and loss of trust from customers may cause far
greater long-term problems. For 70% of the companies questioned,
financial losses were less than 1% of their turnover from
e-business. Less than 2% have lost up to 20% of their e-business
turnover.
Despite the perceived risks, companies are not taking cybercrime
seriously. The Turnbull report's guidance on corporate governance,
introduced last year, should have placed risk management high on
the board director's agenda. Yet 40% of the companies questioned
said their boards had not considered the risks of cybercrime within
the past 12 months. A third have yet to appoint a specific director
to take responsibility for risks to e-business.
The CBI's report suggests that too many businesses are relying on
technological fixes rather than a fully thought-out risk management
strategy to protect their e-commerce systems. IT security measures,
electronic control, monitoring systems and security reviews all
take precedence over risk management.
"The deployment of technologies such as firewalls may provide false
levels of comfort unless organisations have performed a formal risk
analysis and configured firewalls and other security mechanisms to
reflect their overall risk strategy," the CBI said.
It spelt out key recommendations for the Government. These include
setting up a UK equivalent to the US Internet Fraud Complaint
Centre, which investigates complaints from the public. The centre
could provide feedback on the extent of crime and the effectiveness
of countermeasures. The CBI also wants the Government to review and
amend the Computer Misuse Act to cover denial-of-service attacks
and calls for a full review of UK law, through the Law Commission,
to ensure that legislation can meet the long-term threat from
cybercrime. Few would argue with these suggestions. But critics
warn that there is a risk of the UK rushing in new legislation
without a more thorough assessment of the risks of computer crime.
Peter Sommer, IT security expert at the London School of Economics,
said too many decisions are being made without rigorous research.
One of the first tasks of the High-Tech Crime Unit, for instance,
will be to establish the extent of cybercrime in the UK - a task
that should have been completed before the unit was set up.
"It is all very well saying that two-thirds of firms have suffered
cyber attack but what sort of attack? A virus like Melissa is one
thing, but it is another thing if you are attacked by cybercrime
warriors that [Iraq] is allegedly training. The CBI needs to take a
major role in collecting data itself," said Sommer.
Cybercrime Survey 2001 by the CBI, Fraud Advisory Panel,
PricewaterhouseCoopers, Armor Group and International Fraud
Prevention Research Group