A call to the bank, and one to MSN quickly resolved the dispute and insured that the card was truly canceled, but my faith was shaken. I, who buys everything on the Internet, began to completely rethink my approach.
The fraudulent charges on my unused credit card in all likelihood had nothing to do with the Internet (I dont even think I ever used the card), but it is emblematic of the atmosphere surrounding both the Internet and e-ecommerce. An atmosphere of anonymity, crime, and nefarious evildoers a half world away.
Large companies have addressed the problems of security, some do to farsighted management and others due to the pressure of regulation like HIPAA or Sarbanes Oxley. They have engaged chief security officers, built firewalls, added intelligence to their networks to fight off attacks. Smaller companies and individuals, though, are in a bind.
Today's attacks are increasingly sophisticatedzero-day attacks, sophisticated phishing attempts, VOIP, and social engineeringand are all beyond the defenses of the typical small company. A recent article USA Today highlighted a five-person Baltimore-based company having to spend $50,000 on website security so it might be more resistant to attack.
Thats a huge amount of money to a small business which might better use it to promote their services and expand their business, thus creating more jobs.
Even more distressing is the dearth of resources available to very small companies to help them mitigate the problem. Its absolutely mind-boggling there is not a single national firm focused on helping very small companies deal with their IT and security problems. (Maybe these companies simply dont have the finances to afford these services? Maybe the market is too fragmented and difficult to reach?)
Its also unlikely that most businesses have given the issue much thought, but I think were on the cusp of a explosion in business security thinking as larger companies build higher walls and the miscreants begin targeting easier-to-attack small businesses.
Even worse are individuals. There are millions of very unsophisticated computer users with unprotected or poorly protected machines on very large data pipes such as cable modems just waiting (if they are not already) to be turned into bots with an evil purpose. Unless, like my Mom, you have a couple of children in the IT business, most 85-year-olds with cable modems are completely clueless about security.
The continued attacks on information systems connected to the Internet will ultimately destroy the faith of even the most sophisticated user of electronic commerce, and once that happens, online sales will plummet. Theres no sign of it yet as electronic commerce continues to gain ever increasingly larger slices of the pie, but if the lack of security surrounding even elementary commerce continues to escalate, people will shy away.
My first boss told me Never bring me a problem without a couple of solutions. So, in thinking about the problem, Ive got a few ideas:
We need a national company to help very small businesses with IT issues: This company should have reasonable fees (less than $150/hr) and fixed fees for very specific tasks like a basic Internet security package (managed firewall, virus protection and regular checkups). In essence, it would be the IT department for a five-person company that understand the business needs of that company.
We need the network providers to be much more proactive in providing in-network security: The average Joe cant fathom all the complexity of viruses, worms and phishing attacks. I expect the electric company to filter harmful voltage spikes from my power and, likewise, we should expect network providers to filter bad stuff from our data pipes.
We need a new electronic commerce payment system: Credit card numbers are simply just too easy to steal and use. Paypal is an example of a positive pay system where I have to initiate a one-time transaction that is not repeatable, and a good model.
I use it a lot, but I also hope I never have a problem, because my few attempts to contact Paypal to resolve problems have be frustrating.
We absolutely need a new system to incontrovertibly prove identity in a secure manner: This system should be conform to all of the elements of a good identity system (See my article Identity in Crisis.)
We need to vigorously prosecute e-crimes: Too often nothing happens to eCriminals, mostly because theyre located in some remote part of the world, but there are many cases where theyre located in civilized countries, and we should create a law enforcement force with the sole charge of prosecuting them.
Our current law enforcement agencies have bigger fish to fry, but if we ignore this problem we are seeding a problem with will grow and destroy.
Its not a comprehensive list, but at least it's a start.
Daniel Gingras has been CIO of five major companies and is a partner at Tatum, LLC, a nationwide professional services organization of senior-level technology and financial executives who take on leadership roles for client companies. He has more than 30 years of IT experience and teaches computer science at Boston University. He can be reached at firstname.lastname@example.org.