E-commerce execs under false confidence: Deloitte

A shocking 80 per cent of businesses operating online in Asia-Pacific do not have adequate security measures, according to a global Deloitte study.

The study found 35 per cent of global organisations had formal Internet security strategies and policies in place, but only 20 per cent of Asia-Pacific companies had taken similar measures.

At the same time, the study found most executives at those companies considered their method of online transaction adequately secure - including executives from companies with no security measures in place.

Deloitte enterprise risk services group partner Dean Kingsley said those executives discarded security measures as a "technical problem".

"They're saying, 'We've got firewalls, we've got encryption, we've got this piece of hardware and this piece of software so we must be secure'... but they're leaving too many gaps in between," he said.

"Technology is one part of the solution. If you've got security technology but you don't have quality, trained people administering it and keeping it up to date, then you've probably got false confidence," he also said.

The report found that, while 81 per cent of companies with fully articulated security policies were "satisfied" with their control objectives, 69 per cent of companies without security policies were also "satisfied" with control objectives.

"As e-business increases exponentially, the risk environment will be increasing as well. Organisations that keep on taking that posture of 'I put a firewall in so what more do I need?' are going to come to regret that decision at some point in the future," Kingsley said.

Kinglsey said consumers' reluctance to submit credit card details over the internet was disproportional to the actual risk of data potentially "compromised". The majority of online transactional risk belonged to the merchant, he said.

"If they [merchants] accept a credit card that is fraudulent, and don't authenticate it with a credit card company, they take a loss," Kingsley said.

He said adequate security measures included virus scanning, firewalls, intrusion detection and secure socket layer (SSL) encryption. Password authentication, which he said was used by 70 per cent of e-commerce companies, would delay "any decent hacker" from breaking into company files by about 10 minutes, he said.

Digital certificates, which were only used by 25 per cent of companies, provided the best technological security, he said.

According to Kingsley, the study detailed 150 companies from 13 countries, including 10 Australian companies. National Australia Bank, Westpac, the Australian Tax Office and Government Online were among those interviewed, he said.

The Deloitte study was commissioned by Information Systems Audit and Control Association (ISACA), of which Kingsley is also president of the Sydney operation.