CBI warns of cybercrime

A new survey warns that UK e-commerce is being stifled by the rising rate of crime and consumer caution about buying goods on the...

A new survey warns that UK e-commerce is being stifled by the rising rate of crime and consumer caution about buying goods on the Internet, although the cash cost of crime is relatively low.

The Confederation of British Industry (CBI) is urging businesses and the Government to take action following new research which warns that cybercrime is seriously damaging the take-up of e-commerce in the UK.

The threat from hackers, computer viruses and computer-related fraud is deterring businesses from using the Internet to sell directly to the public, research by the CBI and other business groups claims.

Two-thirds of businesses have reported serious computer crime incidents in the past 12 months and nearly 60% predict that cybercrime will become more of a problem in the future, the survey of 154 organisations shows.

The CBI's findings reveal that the greatest risks come not from business-to-business transactions, which are relatively secure, but from e-commerce directed at the consumer. Although half of the companies questioned believe that the Internet is safe for B2B transactions, little over 30% believe it is safe for B2C transactions.

The fear of fraud is putting off companies from trading over the Internet and stopping consumers from buying.

Figures released last week by the Association of Payment Clearing Services (Apacs) support the CBI's findings. They show that less than 1.5% of all credit and debit card purchases were made on the Internet last year. Apacs expects the figure to increase only slightly next year.

"Fears about potential financial losses and damage to reputation from cybercrime are stalling the growth of e-business, especially for B2C transactions. That will only come when all parties are reassured that adequate security is in place to protect them," said Digby Jones, director-general of the CBI.

The survey suggests that small- and medium-sized firms in particular - the mainstay of the UK's economy - are shunning the Internet. Although 70% of large firms with more than 10,000 staff are selling on the Internet, the figure drops to 20% of firms with less than 500 staff.

For all organisations, the amount of business conducted on the Web is disappointingly small. Nearly 80% said e-business accounted for less than 5% of their total revenues. And 40% are making no money from the Web.

This is partly due to a lack of resources, but the CBI believes that cybercrime is also a significant factor. The Internet is now the biggest source of risk for most firms questioned, overturning the conventional wisdom that 80% of security problems are caused by insiders.

Most firms rank computer viruses as the biggest risk to security, closely followed by hacking and the illegal access to databases. Simple, old-fashioned crimes such as credit card fraud, non-payment and non-delivery of goods and services come way down the list. Former staff, organised crime, political groups and competitors are perceived as the greatest threats to business.

For most companies, the risk is not so much the financial impact of cybercrime but the damage it can cause to a company's reputation. Adverse publicity and loss of trust from customers may cause far greater long-term problems. For 70% of the companies questioned actual financial losses were less than 1% of their turnover from e-business. Less than 2% have lost up to 20% of their e-business turnover.

Despite the perceived risks, companies are not taking cybercrime as seriously as they should. The Turnbull report should have placed risk management high on the board director's agenda. Yet 40% of the companies questioned said their boards had not considered the risks of cybercrime within the past 12 months. A third have yet to appoint a specific director to take responsibility for risks to e-business.

The CBI's report suggests that too many businesses are relying on technological fixes rather than a fully thought-out risk management strategy to protect their e-commerce systems. IT security measures, electronic control, monitoring systems and security reviews all take precedence over risk management.

"The deployment of technologies such as firewalls may provide false levels of comfort unless organisations have performed a formal risk analysis and configured firewalls and other security mechanisms to reflect their overall risk strategy," the CBI said.

It spelt out key recommendations for the Government. These include setting up a UK equivalent to the US Internet Fraud Complaint Centre, which investigates complaints from the public. The centre could provide feedback on the extent of crime and the effectiveness of countermeasures.

The CBI also wants the Government to review and, if necessary, amend the Computer Misuse Act to cover denial-of-service attacks and calls for a full review of UK law, through the Law Commission, to ensure that legislation can meet the long-term threat from cybercrime.

Few would argue with any of these suggestions. But critics warn that there is a risk of the UK rushing in new legislation without a more thorough assessment of the risks of computer crime.

Peter Sommer, IT security expert at the London School of Economics, said too many decisions are being made without rigorous research. One of the first tasks of the High-Tech Crime Unit, for instance, will be to establish the extent of cybercrime in the UK - a task that should have been completed before the unit was set up.

"It is all very well saying that two-thirds of firms have suffered cyber attack but what sort of attack? A virus like Melissa is one thing, but it is another thing if you are attacked by cybercrime warriors that [Iraq] is allegedly training. The CBI needs to take a major role in collecting data itself," said Sommer

Cybercrime Survey 2001 by the CBI, Fraud Advisory Panel, PriceWaterhouseCoopers, Armor Group and International Fraud Prevention Research Group

Read more on Antivirus, firewall and IDS products