The security perspective of an e-commerce company varies based on its business model. iPremier follows a Business-to-consumer (B2C) model and the entire sales come directly through web sales i.e. online B2C transactions. Hence the IT security of iPremier should center on the protection of the customer information and needs. The Federal Reserve includes six types of risks a company could face because of an Information Technology (IT) breach, which are credit, market, liquidity, operational, legal, and reputational in nature (FFIEC, 2006). iPremier faces operational, reputational, legal and market risks in the current situation following the Denial of Service (DoS) attack. COSTS OF A BREACH
No customer will buy a product from a website that cannot guarantee privacy of his/her credit card or bank account information. The customers of iPremier expect that their financial data remains safe from theft and fraud, and linkage to the iPremier website will not infect their computers with viruses or hostile code. High end customers in particular do not want their personal information, shopping habits and preferences to be released to outside parties. Customers do not want any cookies or other privacy compromising code unknowingly planted on their machine. The worst problem iPremier could face is the high corporate liability if it fails to protect the customer data stored internally. Companies that suffer theft of customer information incur significant direct and indirect expenses. According to ‘Fourth Annual US Cost of Data Breach Study 2008-2009’ conducted by the Ponemon Institute, the cost of a data breach and response could be identified by four cost centers: Detection and Discovery, Escalation, Notification and Ex-Post Response. The study also says that “In addition to the these four process related activities, most companies experience opportunity costs associated with the breach incident, which results from diminished trust or confidence by present and future customers” (Ponemon, 2008). Figure 1 in the Appendix shows the total breach costs based on the number of records compromised. According to the research by Ponemon Institute “The negative publicity associated with a data breach incident causes reputation effects that may result in abnormal turnover or churn rates well as a diminished rate for new customer acquisitions” (Ponemon, 2008). Figure 2 in the Appendix shows the abnormal churn rates of five different industries after an IT security breach. Consider the case of TJX Inc., a listed company at the New York Stock Exchange which was a victim of unauthorized computer systems intrusion. It took seventeen months for the company to even know that there was an intrusion into its customer payment transactions systems. The intruders had the access not only to customers’ credit card numbers but also to the social security numbers and driving license numbers. The costs of this breach had reached $216 million in the form of law suits by the customers. Such a security breach at iPremier could result in the ultimate collapse of the company due to the law suits (Wikipedia, 2010). Lastly, reputation of the company directly affects the market sentiments. If such events are not handled properly by the public relations, they can be destructive for the company with market sentiments going against the company, resulting in drastic drop of the stock market value of the company. IMPENDING ATTACKS
An impending attack on iPremiers’ servers in the near terms is quite possible since the attack was not defended by iPremier or Qdata employees; in fact it was stopped by the hackers themselves. Due to lack of back up data and detailed log analysis, iPremier has no clue on how the systems were exploited by the hackers. Insufficient knowledge on the attacks prevents iPremier from verifying the availability, confidentiality and integrity of the current database. iPremier should consider this attack as an early alarm and immediately review its current...
References: Dr. Ponemon, Larry. (2008). Fourth Annual US Cost of Data Breach Study.
TJX Companies. Retrieved May 9, 2010, from http://en.wikipedia.org/wiki/TJX_Companies.
Federal Financial Institutions Examination Council (FFIEC). (July 2006). Information Security.
Trusted Information Sharing Network. (June 2006). Managing DoS Attacks. Retrieved May 9, 2010, from http://www.dbcde.gov.au/__data/assets/pdf_file/0013/41314/DoS_CIO_Executive_Summary.pdf.
Please join StudyMode to read the full document