Seventy-nine percent of CEOs, CIOs and other senior management from public and private companies in 12 countries said they believed that a breach in their e-commerce system would most likely be perpetrated through the Internet or other external access, according to the 2001 Global e.fr@ud.survey. It is well documented, however, that the greatest risk is from internal perpetrators.

Most security breaches are committed by individuals who possess intimate knowledge of the systems they are attacking, said Norman Inkster, president of KPMG Investigation & Security Inc. in Canada and chair of KPMG’s International Forensic Accounting Committee. If senior management understood that, they might handle their security issues very differently.

Survey participants identified hackers, poor implementation of security policies and lack of employee awareness as the greatest areas of threat to their e-commerce systems. However it is more likely that internal sources . such as disgruntled or former employees or external service providers who have an established relationship with the company . may commit the breach, or may supply the information necessary to do so to someone else.

The survey also found that companies are failing to put in place policies that could prevent and help prosecute e-commerce fraud. Fewer than 35 percent of executives surveyed said that security audits are performed on their e-commerce systems, and only half have incident response procedures in place for when they do discover a breach.

The first thing most companies do when there is a security breach is fix it right away so they can get their e-system back up for business, said Inkster, a former commissioner of the Royal Canadian Mounted Police. But they don’t realize they are destroying evidence and making it almost impossible to recover assets or pursue legal action. It’s like cleaning a crime scene before dusting for fingerprints.

According to the survey:

86 percent of respondents consider themselves somewhat to very knowledgeable about e-commerce

Only 22 percent of companies have computer forensic response guidelines

Only 62 percent perform background checks on the entities that assist them with the development, maintenance and/or administration of their e-commerce system

Nine per cent have had a security breach in the last 12 months. Of those, an astonishing 83 percent said legal action was not pursued

72 percent said their greatest concern was the risk of damage that may be caused to their company’s reputation as a result of a security breach

Respondents said that security of credit card numbers and personal information were by far the most important concerns to their customers.

KPMG believes the number of reported breaches is understated. There may be a variety of explanations for this, including:

An understandable reluctance to report breaches to protect the company’s reputation

Respondents may not have been made aware of security breaches within their organization

Many attacks or intrusions go undetected by the organization

Survey participants sustaining a security breach may have chosen not to respond to this question.

The survey results were similar among companies throughout the world, in both developed and developing countries, indicating that national and geographic boundaries matter little when it comes to fraud in the global electronic marketplace.

To prevent and detect e-fraud, KPMG recommends companies implement a comprehensive security program often referred to as the onion model, because of its many layers. The model includes the use of encryption, firewalls, intrusion detection systems, incident response procedures, including computer forensic response guidelines, monitoring and external audits.