Few revolutions have been as persistently forecast as the revolution in
e-commerce. Even in 1999, when e-commerce was still a minor factor in Canada,
the federal government estimated that the industry would hit $200 billion within
the next three years. More recently, research firm Forrester Research Inc. of
Cambridge, Massachusetts has projected that online trade in Canada will hit
hyper growth in 2001 - growing to C$218 billion by 2004.
The advantages of e-commerce are not lacking in publicity. Headlines,
billboards and posters all trumpet the advantages of doing business on the
Internet - less overheads, more exposure to customers, superior opportunities
for data gathering and analysis, and the opportunity to do more business for
less cost.
Indeed, much of the media gives the impression that a business not involved
in e-commerce is rapidly becoming a dinosaur, doomed to die out in the face of
its more highly evolved competition.
These projections notwithstanding, the actual adoption of e-commerce to date
has lagged behind past forecasts. The recent statistics report that Internet
sales in 1999 amounted to less than one percent of the total economic activity
in Canada surprised many.
While the study's methodology has been the subject of some criticism, the
activity it did measure showed growth to be disappointing. One of the reasons
for this lack of progress clearly relates to concerns about privacy and security
in Internet commerce.
Jupiter Communications of New York, a respected authority on Internet
commerce, has identified privacy concerns as responsible for an $18 billion drop
in potential e-commerce revenue and a $2.7 billion lag in potential online ad
revenues.
Governments have attempted to respond to these concerns by defining some
rules. Canada's Bill C-6, passed into law last April, dictates that e-commerce
companies, Web marketers and Internet service providers (ISPs) must have
explicit consent from consumers before providing their personal information to
third parties. While there is some fine print, in that the legislation applies
only to federally regulated businesses for the first three years, the new law
still helps to clear the air in Canada.
Self-regulation still rules
Americans are still struggling to find some common ground to address the
shortfalls of industry self-regulation. This past April, CEOs at Amazon, eBay,
America Online and Lycos sent out 400 letters to colleagues urging them to take
their clients' privacy more seriously.
How valid are these client concerns about privacy? About 90 percent of web
sites out there do boast privacy policies.
However, from the perspective of a specialist in Internet security, the
security most of them offer, which rely on SSL (Secure Sockets Layer) and
firewalls, may not be enough. Just over the last year we've seen very successful
and professional businesses compromising their customers' personal information,
such as the public release of 300,000 credit card numbers from the CD Universe
site.
Careful... sensitive information ahead
Businesses have to ensure they are not releasing mission-critical data such
as purchase orders, transactions, sensitive marketing plans or engineering
schematics in an unwise fashion. This is a new and emerging industry. Many
businesses out there don't yet know, or understand, all the areas in which they
may be vulnerable.
Nor, realistically, can they be expected to. The technology industry moves so
fast that most information is obsolete within three to six months. That's why
many companies - even IT vendors - are turning to third party security
consultants to offer specialist help in securing private networks.
Most people would be surprised at how few successful e-commerce networks have
been built to-date. Today's legacy systems were built to keep people out, not
let them in. An effective e-commerce implementation can be quite intricate and
requires the right people, and an intimate knowledge of the technology, to get
the job done. Security specialists are simply better able to handle this type of
work.
Information security specialists secure electronic commerce, products and
systems solutions, and provide product specifications, design and development
methodologies. They also implement public key infrastructure (PKI) solutions and
record document information management systems (RDIMS) for clients and business
partners.
Under the cloak of security
How are these specialists able to do these tasks better? At CGI, for
instance, the IT Security practice based in Ottawa draws from over 40 qualified
security professionals holding numerous industry recognized certifications in
information security, audit, business continuity planning, PKI and lab
evaluations. It houses an Information Technology Security Evaluation and Test
Facility that was originally formed to help clients manage customer transactions
through CGI's data warehousing, systems integration and other capabilities.
This was in reaction to the desire of many companies to incorporate evaluated
products into their networks. These "Common Criteria" evaluations are
internationally recognized and provide clients with the assurance that the
evaluated products will provide the security functionality specified by the
manufacturer. Indeed, this facility is one of only three in North America
accredited by the Standards Council of Canada and the Communications Security
Establishment (CSE).
Lost and found
Security specialists are expert in fields like disaster recovery planning, a
critical issue when some commercial sites can measure losses in millions of
dollars per hour of downtime. At this level of revenue loss, appropriate
measures to ensure infrastructure availability are not just an investment. They
are essential to the business's success, and perhaps even its survival.
The experience of CGI's IT Security practice includes close to 100 threat and
risk assessments for the Canadian government and Fortune 500 companies, four
high security projects worth more than $100 million, and the design of the
disaster recovery plan for the largest network in the Canadian federal
government.
Currently, a team of CGI's IT Security professionals are being instrumental
in the implementation of Health Canada's Secure Electronic Service Delivery (SESD)
project, a pathfinder PKI implementation for the Government of Canada.
Evolution in the IT security field has not only increased the functionality
available to e-commerce, but also brought significant cost-savings in some
areas. Use of the right technology, architecture and solutions can allow a
business to grow and do more. It can also generate positive return-on-investment
that more than pays for the implementation.
Individuality in security
A critical point is that vendors still need to be aware that every situation
is unique and deserves to be approached with that in mind. There is a great deal
of danger for both consumers and vendors in settling for a cookie-cutter
approach. The right solution for one customer down the street usually isn't the
right solution for another, whose business model is different, because it
probably won't meet their needs. The bottom line is not 'just do it'. It should
be 'do it right.'
The bottom line
Security and privacy concerns about e-commerce remain real, and are thus a
major potential obstacle to e-commerce success. Specialists in IT security can
offer a valuable service with real returns: an e-commerce site that inspires
confidence of both the business owner and consumers.
Chuck Pfinder is Director of IT Security Consulting for CGI Group Inc, which
provides planning, design, implementation and integration of Security Life Cycle
Services. This article is reproduced with permission from
www.energizeyourchannel.com