XYZ Corporation had developed its business through franchising to create a network of stores around the country. Inspired by the phenomenal revenue growth reported for online retailers, XYZ Corporation decided to set up an online presence.
It found a company that produced excellent, eye-catching World Wide Web pages to provide an enticing on-line image. XYZ Corporation was excited about the impressive face it would present on the internet. To the Web site it linked a product catalogue, a shopping cart for taking orders, and a payment gateway to process credit card payments. The implementation was comparatively simple, using off-the-shelf components for the catalogue, shopping cart and payment gateway system.
The Web developer had done a good job in submitting entries to search engines, and people soon started to visit the Web site. XYZ Corporation was delighted as orders started to appear online, including some from overseas. This, it discovered, was a mixed blessing, as it had not thought about the implications of shipping goods overseas, in a timely and cost-effective way.
However, a far more serious problem emerged. XYZ Corporation began to find that it was a target for credit card fraud. It sometimes took weeks after filling an order until XYZ was advised of the fraud. As XYZ was experiencing a high incidence of fraud, its merchant fees for card processing were increased.
XYZ had felt a high degree of confidence in the service provider because most of the components were commercial, off the shelf, software products. However, the service provider had insufficient experience of establishing strong business processes online to protect against fraud. The service provider’s lack of experience had also resulted in a poorly integrated system, leading to frequent disruption of the interfaces between the Web front-end and the back-office systems used for processing orders and managing stock.
XYZ was also getting many complaints from its franchisees. The online system had been set up as a retail channel in competition with the franchisees’ physical stores. However, when online customers had a problem with a product, they went straight to the nearest store for a resolution or a refund.
XYZ Corporation abandoned its Web site in frustration, having soured relationships with franchisees as well as suffering losses through high levels of fraud.
XYZ then sought advice from a consulting organisation that had experience in establishing successful e-commerce sites and also approached the franchisees to develop a co-operative model of online retail in which all parties shared the benefits.
The consultants helped XYZ to implement various methods for reducing credit card fraud. In addition, XYZ sought the help of an experienced systems integrator to ensure that the front-end and back-end systems were integrated in a reliable, robust manner, with effective audit trails and recovery mechanisms. The consultants reviewed the completed system and assured XYZ that it would be more robust and that it would provide greater protection from fraud.
Before the consultants left, they advised XYZ to thoroughly review other elements of systems security. Although the internet provides many new business opportunities, it can also expose the business to a greater range of threats from hackers and viruses.
The systems manager for XYZ assured management that he had already begun looking at this issue and would soon have measures in place.
After researching products through the Web, and seeking advice from various product vendors, the systems manager implemented the latest anti-virus tools from a leading vendor, and a firewall to provide a controlled entry point between the outside world (the internet) and the XYZ systems. To be on the safe side he used the default settings that were recommended by the vendors of the product.
For a while, XYZ had steady growth in sales over the internet, and the revised approach to managing payments reduced the incidence of fraud to acceptable levels. The company, having learnt other business lessons from the first attempt, experienced much improved relationships with its customers and franchisees.
The systems manager was pleased that he had the defences to protect the new system from external threats, and he decided to focus his attention on other matters. The project had taken a long time to implement and he now became occupied with a multitude of other work requests that had been largely neglected during the project.
However, signs began to emerge that all was not well, the first being the increasing incidence of viruses reported to the help desk.
Preoccupied with other matters, the systems manager did not have time to read the bulletins sent by the vendors of the firewall and anti-virus products. These pointed out the latest security weaknesses to be exploited by hackers and virus creators. The bulletins offered advice on how to deal with these threats. The answer lay partly in configuration changes to the firewall, or in down-loading updates to products from the internet. The bulletins also warned of patches available from the operating system vendors to deal with exposures in operating systems and Web server products.
In these circumstances the inevitable happened, and a “worm” infected the XYZ systems over the internet. Unfortunately, this worm had two effects. It corrupted the internet sales system of XYZ, and it also propagated itself through the e-mail address books of XYZ Corporation staff. A lot of trading partners of XYZ received a stream of infected e-mails. Most of these organisations had effective security in place, and were not affected to any extent, they expressed their concern that XYZ did not have the controls in place to prevent such outcomes.
Meanwhile, the XYZ systems manager was struggling to recover the systems, and he eventually sought the help of security specialists to clean up and restore the systems. The recovery of the systems was expensive, as was the loss of revenue from this sales channel. If the organisation had relied purely on the on-line presence for sales, this disruption could have been enough to put the business into receivership. Given the highly publicised dot-com collapses, lenders were unlikely to have shown any patience if XYZ had got into financial difficulty.
Warily XYZ opened up its online store again, and after a month the sales volumes started to return to previous levels. Just as everyone was breathing a sigh of relief, the Web site was struck by a “denial of service” attack that effectively shut down the online store for more than a day. These hacker attacks are designed to continuously flood a Web site with access requests, until the systems become overloaded, stop responding to legitimate user access requests, or fall over completely. The result is that no business can be conducted until the attacker stops the activity, or the system defences suppress or divert the attack in some way. In frustration, XYZ sacked the systems manager and appointed a contractor from a leading security company to help the company go forward once again.
A few days later, the systems manager happened to attend a seminar on information systems security. After the formalities were over, the systems manager approached the security specialist and talked about his experiences. “Where did I go wrong?” he asked. The security specialist pointed out that the greatest mistake was to dive into buying products and tools, expecting that technology would solve everything and that there are all sorts of potential security threats, internal and external.
Who should have had responsibility for the organisation’s security policy and how should this policy have been implemented? How can the privacy of communications across the globe be protected? How can XYZ protect the privacy of e-mails and files on the systems managed by the service provider? How should XYZ have approached the process of establishing an online store? How could XYZ have developed a more balanced approach to its francisees and the implementation of the online system?
Proposed Solution #1
Edward McKenzie is a retired businessman who established an online store to complement his woodcraft hobby shop. The greater market allowed him to increase sales by introducing his products to clients from all over the world.
A fundamental principle, and one apparently ignored by the management at XYZ, is that internet and Web services are designed to supplement existing services. Internet trading is not a magic panacea and will not miraculously cause profit to soar. A well devised internet solution can, and will, give you greater access to customers – internal and external – as well as offering clients more convenience and flexibility, and freeing you from the tyranny of distance.
XYZ made mistakes from day one. It did not have an introduction strategy, it does not seem to have done the research and did not employ a service provider with sufficient commercial experience to implement and integrate the systems. The bottom line is that the merchant should be aware of, and responsible for, issues of security. In the same way companies investigate and interview employees with reference checks, and so on, XYZ should have investigated its service provider thoroughly. And, just because a product is a commercial, off-the-shelf package, it does not guarantee security. If XYZ did not have the ability to monitor credit card security there are plenty of companies that specialise in providing these services to other organisations.
On the wider picture of security in general, it is the responsibility of all staff to be aware of the dangers stemming from viruses and hackers. However, it is the overall responsibility of the management to ensure that IT policies are well formulated and staff are educated to understand the repercussions of violating the IT policy. The management also has to be prepared to spend the money needed to continually upgrade and update systems.
Privacy, as many people know, is an increasingly important part of any business. Data encryption and secure sites for online forms are just two ways of ensuring that information is protected. But the company also needs to have people policies in place. This includes restrictions on the kinds of information that can be included in e-mails, acknowledgement that sections of the site will be insecure, and simple techniques such as getting employees to “lock” their desktops when they are away from their desks.
On the second attempt to set up an on-line service, XYZ had learnt from its mistakes and hired specialists and consultants to assess its overall needs and what was required to meet them. Unfortunately XYZ did not retain these experts after the initial re-establishment period. In my opinion, XYZ should not have shelved the online service after attempting to implement it the first time. The company should have fixed the process there and then. Letting it fall into disuse then resurrecting it is certain to have alienated some customers. A simple note on the front page of the site explaining that the system was being upgraded and offering an apology for any inconvenience would have helped to keep customers happy and, more importantly, would have told the world that the company was aware of the problem and was doing something to fix it.
So what should XYZ have looked at before it began setting up an online store?
1) Need: why was the company establishing an online store in the first place, and was it an integrated part of an overall sales plan?
2) Ability to deliver: this point relates to products and services. Did the company have the product to attract online customers?
3) Technology: was the company prepared to spend the money to create up-to-date and effective systems?
4) Effect on existing services.
5) The franchisees: they should have been made part of the process from the beginning. Establishing an online store that competed with them was commercial suicide. For most people, good, old fashioned “bricks and mortar” store fronts are still more attractive than a picture on a computer screen. In the second set-up attempt, XYZ employed a consultative approach and got the franchisees involved – exactly what it should have done right from the start.
XYZ’s main problem was the inadequate thought and planning that went into the establishment of the online store. A good business plan, a bit of research and a commitment to creating a service that helped the company, its customers and the franchisees would have gone a long way towards averting the disasters.
Proposed Solution #2
Tony Dixon is the CTO of AeM Consulting Group, a leading information technology consulting organisation that works with selected clients to achieve improved business performance.
An organisation as a whole must take responsibility for creating a security policy and for adhering to it. Successful policies require co-operation from all staff. The implementation of the policy will require organisational change in terms of culture, processes, and systems. For this reason, senior-level sponsorship is a must.
Middle-level management will be responsible for the day-to-day implementation and enforcement of the policy. Technical resources will implement the policy at a systems level. All members of the organisation should be aware of the policy, believe in its merit for their organisation and understand how to play their part.
The policy will need to be managed over time. For large organisations this means employing a permanent security officer, and for smaller organisations it may mean periodically calling on the services of a security consultant.
In regard to privacy, information flowing across the internet can be intercepted and read by anyone with the technical know-how. The only way to combat this is to “scramble” or encrypt the information before sending it.
Management has to assume that XYZ has put in place systems administration and security processes that will update virus checkers, systems security patches, usage monitoring and myriad general system security activities.
There are some further privacy questions that need to be considered, and two of the most important ones are:
1) Is the person I am communicating with really who they say they are?
2) How do I know that the message has not been altered in transit?
The first point is answered with authentication and authorisation. The most common ways of implementing this are:
- Username and password
- Smartcards and pass cards
- Biometrics, such as finger or hand print scans, and voice recognition
The second point is more insidious and difficult to manage but it can be tackled with digital signatures.
XYZ made the common mistake of “jumping in” before it understood the business implications of an online store with no business plan for the e-commerce venture, no feasibility study and no analysis of return on investment.
Even after the business planning was completed, it would have been prudent for XYZ to venture into e-commerce using a controlled and phased approach. For example, the first version of the online store may be limited in terms of product range, geographical region of target customers, or level of systems integration.
Typically, franchisors are in the business of franchising, not selling a retail product. It would be highly unusual for the franchisor to sell direct to the customer, thereby becoming a competitor with the franchisees.
However, there may be good reasons for the franchisor to set up a centralised online store, such as:
- Maintaining consistency between the online sites of the franchisees.
- Providing a valuable service to the franchisees, especially those without the funds or expertise to set up and operate an online store of their own.
- Sharing the expense of a highly secure, well backed up, 365 days per year online store across all franchises.
- Simply administering the revenue issues that often arise when the online business channel cuts across established geographically based territories.