Security Report Plan
E-commerce is a website which involves the use of transactions, in other words Transactional Websites. They involve the display and purchases of online goods and services such as clothes shops or insurance companies.
E-commerce is more susceptible to threats than normal commerce because to make a transaction online your have to give more personal details online. If you go into a shop to buy something, you don’t have to give your name or address, where as online you do. With e – commerce you also have to give credit card details, and they can be stolen and retrieved by spy ware leaving the customer susceptible to online fraud. However, with the right protection from the transactional website, the customer will not have to suffer these consequences.
There are many threats faced by data security with e – commerce as at times it can be very vulnerable without the right security. First of all there are Viruses – these are computer programs that are designed to copy themselves. They can attach themselves to other programs or they may be stand-alone – this is called a worm. They cause a lot of harm to a computer system, and identity theft is a common result of them in E-commerce situations. Anti – virus measures can be taken, there are many anti – virus software’s you can purchase to upload onto your computer to stop your computer from retrieving viruses. An example of anti – virus software is ‘Norton Antivirus’. Creating viruses is a serious offence, and if found the creators are often jailed. There was a BBC news article of an event similar to this. The opening paragraph reads; ‘A man who admitted infecting thousands of computers across the world with fast-spreading viruses has been jailed for two years.’ These computers included systems that were owned by many businesses which in effect temporarily destroyed them.
Secondly there are Hackers, these hack into computer systems and databases so they can access all information and data that is held in them. If these are not prevented then identity theft is a very common result along with online banking fraud. To prevent hackers from achieving this there are Firewalls. Firewalls are used to control access to networks and it enforces an access control policy. They stop hackers from getting into your computer system as it recognizes they shouldn’t have access to it. There is an article on the yahoo news website about ‘Hackers go after excel’. Excel is a programme which can contain much data. For example in a business, they may use Microsoft excel to keep a record of their finances and bank situations. If a hacker gets into these files, then much data can be stolen about the company.
Next there is Spy ware to consider. This can monitor almost anything a user does. It can monitor websites visited, files used, collect keystrokes and therefore find out passwords and credit card details, scan hard disks, view private chats, change default pages, hijack search engines. So basically it causes a lot of damage to the computer system it has invaded, and the owner of the computer can be a victim of fraud and identity theft. To prevent this you can get software like anti-virus, but specifically for spy ware.
All of the threats mentioned above are threats involved with other computer systems, however there are some physical threats involved also. Hardware failure can occur where the system fails and simply doesn’t work, you would not suffer from this if you were in the shops. Furthermore there can be human error, it is possible for people to make mistakes, therefore anything could potentially go wrong if too many are made, however most of the time these mistakes can be prevented by Training; training employee’s means that they know how to use the system properly so they are less likely to make mistakes, and this helps to prevent human error. Dishonest employees who are up to no good, can steel information from their company’s database and use it inappropriately, this can be a series offence and threat. To prevent this companies can monitor the actions of each employee, and if any are to act inappropriately they can be sacked. There is always the threat of Natural Disasters, where systems are simply destroyed through unexpected disasters such as hurricanes or tsunamis, these can both completely destroy computers altogether. You don’t always know when they are going to happen, and tend to rely on the warnings of others such as environmental groups. Another physical threat is theft; computers can be stolen if not protected securely. To prevent this Physical Security can be put into place. By having physical security it stops computers or other systems from being stolen, for example security guards or security cameras. If you are part of an organisation which involves you travelling, it is a good idea to get a device which protects others peeping over your shoulder to spy on what you are doing. Private information can leak out this way; to stop this from occurring the ‘3M Privacy screen filters’ have been invented. About 40% of Business Travellers admit to snooping on their unsuspecting seatmates. £250 billion of corporate secrets are stolen each year, due to indiscreet business practices. 10% of Laptop theft is for the purpose of obtaining information stored on the laptop. So the purpose of the filter is to stop unauthorised people overlooking on information they shouldn’t be. The filter only allows the person who is viewing the screen face on to see the screen. People from other angles will not be able to view the screen, to the right hand side there is a photo of the filter. Physical security can also help to prevent terrorism; bombs can also destroy computers completely so they need to be protected, also people can get into computer systems and destroy them or steal the companies money. Furthermore, flood and fire can both destroy computers.
There are still many other prevention methods for these threats to be considered, take Risk Analysis for example; these are a good idea for companies to take out as they help to identify potential risks faced by the companies systems. Their systems are assessed for how well they work and the problems are identified. Another method is the use of passwords they are a safe way of protecting personal databases and information, with e – commerce, you have a password to protect your online account and personal details, only you can access them as only you should know the password for that particular account. Also access levels are used to stop people of lower authority in businesses accessing areas they shouldn’t. For example the finance department would only be able to access the finance of the business and nothing else. To help prevent natural disasters from destroying all data back up can be used. By backing up files and data, if natural disasters or things you cannot prevent occur, you will have a copy of all the data and information you have lost, for example a hard disk. An external hard disk drive can hold up to 120 GB of data; this is the most reliable way to store massive documents. It can hold videos and music at the same time as many documents. It works like a memory stick but holds a lot more, and is more suitable for holding a whole computer system. Backing up data can stop businesses from being destroyed by many threats they are faced by.
All transactional websites need to have a secure network so the customer’s personal information isn’t stolen by those who should not be able to retrieve it. To prevent this from happening secure electronic transactions (SET) – this is a standard protocol for securing credit card transactions over insecure networks, for example the internet. It enables users to employ the existing credit card payment on an open network in a secure way. Furthermore, Encryption is used to keep certain information secret and protected from those who should not see it. Only those authorized to view the information can view it so it remains safe.
Legislation pays a big part towards the safety of a business. The laws are put in place to protect the customer as they give their personal information to the company.
Firstly there is the Data Protection Act, this act was devised in 1998, to protect individuals from their personal data being used incorrectly or passed around too freely. The right to privacy is a right we all expect. We do not expect personal details, such as our age, medical records, personal family details and political and religious beliefs to be freely available to everybody. To protect people and their personal information, the Data Protection Act was formed.
The first Data protection Act was made law in 1984 but was replaced by a new act in 1998 to include the European Union Law. There are 8 principle of the data protection act and these are listed below:
Be processed fairly and lawfully.
Be obtained for specified and lawful purposes.
Be adequate, relevant and not excessive for the purpose.
Be accurate and up-to- date
Not be kept longer than necessary.
Be processed within the rights of data subjects.
Be kept secure against lost, damage and unauthorised and unlawful processing.
Not be transferred to countries outside the European Economic Area.
If an organisation, business or company holds personal information about people, they must register with the data Protection office. As well as paying a fee when they register, they must state what kind of information they hold, and how they intend to use it. If you have a database on your computer at home containing personal details for family affairs, this is exempt from the act and you do not have to register.
The data protection act is very effective as all companies have to agree to it. Furthermore it provides strong underlying principles which must be followed or the company can be destroyed. People who go against the data protection act are prosecuted if they can give no valid reason. Marks and Spencer has previously breached the data protection act by not encrypting employee data, of which was held on a laptop. The computer system contained pension details for 26,000 employees and was stolen from the home of a contractor. There is an article on this case on computerweekly.com and the action taken was stated: ‘The ICO has issued Marks and Spencer with an enforcement notice ordering the company to ensure all laptop hard drives is fully encrypted by April. Failure to comply is a criminal offence and can result in further action against the company’.
Secondly there is the Computer Misuse Act, this is legislation against hacking, and it was passed in 1990 in the UK. The computer misuse act acts against hacking and many changes have occurred over the world and hacker’s technology is improving quickly, so they need to catch up with it quickly. This act works in a sense that it keeps employees in order and makes them do their job accurately and efficiently. There are three computer misuse offences and these are:
Unauthorised access to computer material
Unauthorised access with intent to commit or facilitate commission of further offences
Unauthorised modification of computer material.
Thirdly there is the office of fair trading (OFT), The OFT has three main operational areas: Competition Enforcement, Consumer Regulation Enforcement and Markets and Policies Initiatives. It enforces both consumer protection and competition law. Its goal is to make different markets work well for consumers, and to ensure that unfair practices such as rogue trading, scams and cartels are prohibited.
Another form of legislation is ‘The Freedom of Information Act’; it deals with access to official information. Furthermore, there are also regulations which provide access to environmental information. This act applies to most public authorities and to companies which are wholly owned by public authorities. It is quite the opposite of the others mentioned as it is allowing the public to view information; however the information that has been made accessible has been approved by the original source of the data. For example, with a transactional website, the customer has to right to track their previous orders; therefore they need to receive information from the company as long as they are authorized to.
The website I am analysing: Topshop.com makes the customer aware that their data is secure through the terms and conditions page. Shown in the print screen below:
They have a privacy policy statement which explains what data they take from you and what they do with it. They state that: ‘Your data will enable us, and our processors, to fulfil your order and to notify you about important functionality changes.’ They then go on to explain how they make sure the data is secure. Most importantly they state that: ‘We comply with the standards, procedures and requirements laid down in the UK Data Protection Act to ensure that the personal information you give us is kept secure and processed fairly and lawfully.’ When it comes to security, topshop.com provides the customer with the opportunity to find out exactly what is happening to their personal information. For example they explain in the terms and conditions that they have a fraud prevention screen as shown in the print screen below:
As you can see it reinforces the point that ‘At all times where we disclose your information it will remain secure’ this suggests that they have an SET in place. As previously explained, this is a standard protocol for securing credit card transactions over insecure networks, i.e. the internet.