E-Business Security and Controls

By Stephen A. Moscove

In Brief

New Controls for New Risks

E-businesses are those companies that have seized the opportunities offered by technology. Their reliance on new technology, however, has also exposed them to new and greater business risks. E-business risk can be classified into four categories: 1) information technology infrastructure, 2) user identification and authentication, 3) user privacy, and 4) destructive computer programs. Each risk category can be addressed by control procedures specifically designed and implemented to enhance e-business security. Regardless of a company’s involvement in e-commerce, a cost-effective package of control procedures is an important element of its business strategies.

Information systems security controls and electronic business are the major technoloy challenges facing business development. Information security and controls comprise the software applications, procedures, and physical hardware within a company’s information system that provide assurance that its resources are only available to those individuals authorized to access these resources. As defined by Glover, Liddle, and Prawitt in E-Business: Principles and Strategies for Accountants, e-business is the use of information technology and electronic communication networks to exchange business information and conduct transactions in
electronic form.

Within any organization, these two issues are inevitably intertwined. A study by Deloitte and Touche LLP identified a number of characteristics, such as complex information systems, that increase risk for organizations engaged in e-business. Nevertheless, there are various controls and procedures that can be designed and implemented within a company’s information system to manage some of the risk associated with e-business.

Business Risk

The business risk for a company engaged in e-business is normally greater than for one that is not. E-business operations present a unique set of risks, including an increased reliance on technology and increased vulnerability to the rapid changes in technology. In addition, industry structures can erode rapidly because Internet shopping facilitates price competition and transforms core business structures to promote distribution by mail and remote customer service.

To address such challenges, an e-business company needs to develop an effective business strategy. An effective business strategy requires operational efficiency; within an e-business’s information systems, this means an emphasis on information security and controls. A cost-effective e-business internal control system should be designed and implemented toward the goal of reduced operating expenses and therefore increased profits. Reducing operating expenses and increasing profits are critical to the success, even the continued survival, of companies heavily engaged in e-business.

E-business risk can be classified into four categories: 1) information technology (IT) infrastructure; 2) user identification and authentication; 3) user privacy; and 4) destructive computer programs. Each category presents characteristic risks; control procedures should be implemented to reduce these risks.

IT Infrastructure

A company’s IT infrastructure comprises the hardware, software, and processes that enable daily operating activities to be performed.

Risks. In any organization that depends heavily on IT, problems (or weaknesses) in infrastructure can cause costly interruptions of data flows. These risks are significantly increased for an e-business because of its almost complete dependence on IT for performing business transactions.

Many Internet-based firms (for example, eBay) interact with their customers only through a virtual Web storefront. As a result, any interruption in the availability of their websites is very costly; the organization is effectively shut down.

Interruptions in the services provided by an e-business firm may result from intentional attacks or natural disasters (such as floods, fires, earthquakes, or tornadoes). A denial-of-service attack is one example of an intentional interruption. A denial-of-service attack overloads an e-business firm’s system with millions of fraudulent server requests, causing legitimate requests to be denied. As stressed by the Computer Emergency Response Team Coordination Center, the risk of a denial-of-service attack exists for any system linked to the Internet.

Another area of potential risk to an e-business organization is the theft of electronic data. IT managers should know the critical points within an e-business infrastructure where data can be stolen by employees or hackers. Unfortunately, for many companies password protection is the only barrier to unauthorized access, and poor password administration creates one of the largest security risks. Weak password controls can lead to stolen information and disrupted services. The integrity of an e-business’s IT infrastructure is heavily dependent on the effectiveness of the company’s password policies and controls.

Controls: Physical access control procedures. These controls limit physical access to a company’s network and e-business resources to ensure that the software and hardware that comprise the IT infrastructure are physically secure. For example, only authorized personnel should be able to access computers and servers that store sensitive information. Computer equipment should be physically secured to prevent theft. Furthermore, all routers, switches, and servers should be located in locked rooms that only network administrators can access.

Password control procedures. Passwords are very important in maintaining the security of an e-business’s IT infrastructure. A formal password policy should prevent employees from using easy-to-crack passwords such as those based on their names, birthdays, or job titles. In addition, any word that can be found in the dictionary should not be used as a password; sophisticated password-cracking software uses dictionaries to guess passwords. A password policy should require users of confidential data to change their passwords periodically.

Data encryption. Because so much of the information transmitted by e-business is private or sensitive, companies often use data encryption techniques to transform plaintext messages into ciphertext messages. If the encrypted message is intercepted en route, it is unintelligible to an unauthorized user. The encoded messages are then decoded back into plaintext at the receiving station.

The most common data encryption control procedures use public key encryption (also known as asymmetric encryption), a technique that requires a pair of encryption keys, one of which is public. The sender uses the recipient’s public key to encode the message; the recipient uses her corresponding private key to decode the message. A major advantage of public key encryption is that the same key cannot be used to both encode and decode a message; neither of the parties to a message knows the other’s private key.

Disaster recovery. E-business companies could lose millions of dollars in equipment, software, and sensitive information if a disaster occurs. A good disaster recovery plan will minimize the loss suffered. An effective disaster recovery plan details general responses to unusual or unanticipated events, such as fires, floods, or earthquakes. One element in a good disaster recovery plan is the flying start site. This is a backup facility outfitted with everything the firm needs to continue its operations on immediate notice—office supplies, telecommunications equipment, computer hardware and software—in the event the firm’s primary system fails or is inaccessible. Any disaster recovery plan must be tested regularly if it is to be effective when needed.

Software-based security control procedures. Software-based security packages are an important part of controlling risks directly related to infrastructure vulnerabilities. Examples include firewalls and intrusion detection packages. Firewalls are located between the Internet and the company network and block unauthorized access to files, directories, and the network. As with all software security packages, firewalls are an effective control only if configured properly.

Intrusion detection software constantly monitors a system and its components. The software functions as a filter to inform managers of any peculiar system activity (e.g., repeated unsuccessful attempts to enter a secure area). Intrusion detection packages not only have the ability to alert managers of unauthorized entrance into the system, but also to react immediately. For example, if the intrusion detection software detects repeated unsuccessful attempts to log on to a user account, the software can immediately lock that account until cleared by the network administrator.

User Identification and Authentication

As a necessary precondition for a successful electronic transaction, both parties need to be confident that the identity of the other party is authentic. Falsified identities are a major risk; for example, hackers typically use devices to conceal their identity when hacking a computer system.

Risks: E-mail spoofing. A hacker is able to hide his identity by changing the information in an e-mail header. An imposter posing as a computer support technician could convince an employee to divulge passwords and other confidential information, and then impersonate the employee and gain access to the system. E-mail spoofing can also be related to virus transfers and spam mail. Spam is any unwanted e-mail message, often advertising a product and sent in bulk. Spammers commonly operate under falsified e-mail addresses. Viruses are also generally distributed under false e-mail addresses.

IP spoofing. A security measure such as firewalls may be configured to disallow access to incoming requests from specific IP addresses. By changing his IP address, an unauthorized individual may be able to gain access to an e-business system. A spoofed IP address could lead to legitimate e-mail being sent to an imposter rather than to the legitimate party.

Fake websites. These websites are established to access confidential information, as a first step to further misdeeds. A fake website might, for example, look like an e-business site and even collect credit card numbers from unsuspecting customers. To reduce the risk of fake websites, it is important that e-business firms use secure servers and digital certificates.

In addition, a legitimate website might be maliciously altered. For example, when hackers broke into the website of Aastrom Biosciences, they altered the web page to announce that Aastrom would be merging with one of its competitors, Geron Corporation. This news caused the stock prices of both companies to skyrocket. The hack was subsequently exposed as a fraud.

Controls: Digital signatures and certificates. Digital signatures and certificates are important control procedures that establish the identity of a party to an e-business transaction. In the same way that a signature on a paper document verifies or authorizes important information, a digital signature provides assurance that, for example, an order is legitimate. Data encryption is also an important component of ensuring the authenticity of digital signatures and certificates.

Biometric identifications. One area of security technology that is contributing to the reduction of falsified identity within e-business firms is biometrics, the use of unique physical characteristics to prevent unauthorized individuals from accessing a company’s computer system. Under a biometric approach, distinctive physical characteristics (such as voice patterns, fingerprints, facial structure, or signature dynamics) are identified for each authorized user of a computer system. When an individual wants to access the system, a biometric device compares the physical input against that stored within the computer system. They must match in order for the individual to be given access.

User Privacy

Users that make purchases from the Internet have many concerns: an unfamiliarity with the process, an inability to physically inspect the product, and a delay before actual delivery of the product. A number of surveys have found that another major concern is privacy.

Risks. Several of the risks to the privacy of e-business users arise from weak internal control systems within e-business firms. The amount of privacy at risk is related to the amount of information a website accumulates on a consumer. The subject of compromised privacy is extremely relevant to e-business companies; if consumers suspect that websites are not actively preserving and protecting their privacy, they are less likely to engage in e-business transactions.

Even if e-business websites have explicit privacy policies, consumers still have reason to be concerned about their privacy. A recent study sponsored by the California HealthCare Foundation focused on the actual privacy provided by 21 popular health websites. It found that most of the sites deceived their visitors, sometimes even violating their own explicit privacy policies. One conclusion from this study was that advertisers might be able to obtain visitors’ names and addresses from most of the sites. Other third parties might even acquire personal health information that website visitors willingly provided.

One of users’ greatest privacy concerns is the use of cookies. These files are created by websites and saved (through the consumer’s web browser) to the user’s hard drive, usually without the user’s knowledge. When an e-business user requests a web page from certain servers, cookies marked for transmission to the particular server are sent. A major concern about the use of cookies is that some e-business firms use them to sell information—e.g., an e-mail address or a credit card number—about their customers to other companies.

Controls: Cookie screening. E-business users can exercise a control procedure by screening cookies before they are placed on their hard drive. Most web browsers can be configured to notify a user before accepting cookies. Netscape Navigator, for example, allows a user to specify that only cookies which are visible solely to the originating server are to be accepted. If e-business shoppers implement this type of control procedure, it allows them to exercise a certain amount of control over the information collected by third party agents. Of course, another alternative is for users to disable cookies entirely.

Privacy policies. E-business companies that are concerned about protecting the privacy of their customers should design and implement very explicit and thorough privacy policies. The following questions should be clearly addressed:

Some e-business companies, as a means of increasing their customer confidence, may purchase a third-party assurance service, such as WebTrust. Under WebTrust, a CPA discloses to e-business users whether the particular e-business company maintains effective controls which provide reasonable assurance that private customer information acquired from e-business transactions is protected from uses not related to the company’s business activities.

Destructive Computer Programs

Destructive computer codes and programs could potentially close down the entire operating activities of an e-business firm.

Risks. One of the biggest risks to the smooth operations of an e-business is the computer virus (macro viruses, boot viruses, file viruses). These destructive programs are capable of infecting an organization’s computer files and replicating themselves across its systems. A macro exploits the macro language within a program (e.g., Microsoft Word) and spreads alongside files containing the virus. A boot virus infects the boot sector of a system’s hard drive and replaces the boot code with infected code, allowing the virus to take control of the computer the next time it is booted up. A file virus infects executable files in a system (e.g., .com or .ovl files). Just like with boot viruses, file viruses may replace original instructions with virus code. It may also delete, rename, and sabotage files.

Additional risks to the effective operations of an e-business firm can come from trojan horses, hoaxes, and logic bombs. A trojan horse is similar to a virus, except that it cannot replicate itself. When, for example, a legitimate file is activated, the trojan horse (which is usually harmful) is activated and can potentially damage the system that activated it. A hoax is a message or file that claims to be a virus but is not. The intent is to cause confusion and panic. A logic bomb is code that is inserted into an operating system or application and is triggered whenever specific conditions are met. Logic bombs are also called time bombs and may be used in combination with a virus.

Controls. It is an unfortunate fact that new computer viruses are being discovered daily. Considering the damage any one virus could do, an e-business company cannot afford to not be protected. This protection typically comes in the form of antivirus software; however, no program can assure complete safety. Antivirus software must be updated continually to be effective against new and mutating threats, and even then it cannot provide complete protection. There are many companies that make antivirus software, and most offer free updates through their websites.

Minimizing Risks

Because every organization is unique (whether an e-business or not), there is no standardized package of control procedures that work best for all. An optimal control package must balance the costs and the benefits of its specific application. A cost-benefit analysis should be performed on every prospective control procedure. Controls are considered cost-effective when their anticipated benefits exceed their anticipated costs. Such controls should be properly implemented and form an important element of all e-businesses’ business strategies.


Stephen A. Moscove, PhD, is a professor of accounting at the University of New Haven, West Haven, Conn.
This Month | About Us | Archives | Advertise| NYSSCPA
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices

Visit the new cpajournal.com.