Are Aussie businesses 'critically exposed' to data breaches?
The exponential growth in mobile eCommerce will leave businesses critically exposed to the soaring risk of data breaches unless they dramatically ramp up their focus on IT security.
That's the view of Chris Grant, managing director at Protiviti, a global consulting firm, who claims that in 2013 alone, almost 300 billion mobile transactions worth more than $930 billion were processed.
"By 2015, the number of mobile apps developed for smartphones and tablets will outstrip PC based software four times over, pushing transaction volumes to even greater heights," he adds.
"And by 2016 more than half of the world’s top 1000 companies will be storing sensitive customer data in the cloud.
“The rapid shift from desktop to mobile internet services and from traditional data centers to the public cloud will open up a whole new world of security vulnerabilities for businesses that are unprepared for the risks."
The recent data breach suffered by eBay resulting in the theft of personal information of 145 million eBay customers is a timely reminder that cybercriminals are becoming increasingly sophisticated and are able to deploy highly effective and destructive hacking tools to compromise even the largest corporations.
According to Grant, Australian businesses especially, unfortunately have a poor record in resisting cyber-attacks.
In 2013, Australian companies had data breaches that resulted in the highest average number of compromised records per capita (34,249).
Australia also ranked second after Germany, on the list of countries most likely to experience a data breach from malicious or criminal attack - the most costly breach category for companies.
“Despite these threats, many businesses remain dangerously complacent about their exposures and continue to seriously under-invest in IT security," Grant adds.
“Australian companies typically allocate only one to two per cent of their IT budget to security, even though benchmarking from reputable organisations like Gartner recommends a minimum spend of at least two to seven per cent, depending on factors such as regulatory requirements and individual risk factors."
Grant also observed that while companies had several data breach strategies at their disposal, the critical first step was to understand their customers’ behaviour.
“Companies first need to know how consumers behave when it comes to online security and adopt systems that help protect their customers from themselves," he adds.
"It’s well known that consumers tend to let their guard down particularly on social media by readily accepting contact offerings, sharing files or clicking on links from people they don’t personally know – even though these behaviours greatly increase their chances of malware infections, identity theft and the like."
Grant commented that to effectively combat complex and high-stakes eCommerce risks, companies were advised to adopt a multi-layered ‘defence in depth’ strategy.
“A ‘defence in depth’ approach involves a coordinated use of multiple IT security measures to protect the organisation’s information assets," he adds.
"Because the source of a cyber-attack can be unpredictable, you need to be set up so if one security measure is infiltrated there are fall-backs that can continue to hold the fort.
“And to be effective, those integrated measures must protect the business on all essential fronts.
"These include having robust server and application security which should include a clear policy for when it’s appropriate to use the cloud.
"Also critical are message confidentiality and integrity measures so that communications between transacting parties are private and not able to be tampered with, and authentication and authorisation protocols so that parties are properly identified and authorised to make the relevant transactions.
“Sound audit controls should also be implemented so that breaches or other unauthorised activities can be quickly detected.
"And lastly, payment processing and settlements need to be secure and compliant with the Payment Card Industry Security Standards which protect against credit card fraud.
“The explosion in mobile eCommerce presents both opportunities and threats for Australian businesses.
"The companies that succeed will be those that invest adequately in IT security and have a robust, multi-dimensional security strategy to deter the hackers at the gate."