Attacks on e-commerce
Web sites have online
merchants in a cold sweat over
revenue losses. But Web-savvy CPAs
can help clients
by offering these e-sabotage
Conduct a risk assessment of the
enterprise. If possible, do it
before implementing technical controls so that
weaknesses can be eliminated before costly
adjustments are needed.
Develop security standards.
Communicate security policy to
employees so they understand their
responsibilities, the penalties for violations
and what to do if they suspect online security
has been breached.
Test defenses. Conduct a
full systems audit, testing security—especially
firewalls—to identify potential weak points,
including remote access to systems by e-mail,
the Internet and telephone.
Get an independent opinion on security
measures. Have an objective
outsider evaluate overall online security,
including firewalls, antivirus software and risk
Limit access to e-commerce controls.
Give access to the fewest people
and the fewest systems possible for the minimum
time it takes to perform essential functions.
Use authentication tools, such as passwords,
smart cards and digital certificates to verify
Use firewalls to block intrusions.
Pass transmissions through a
control point where they can be checked for
compliance with security provisions.
Monitor employees’ online activity.
Use systems management tools to
enforce security policies consistently across
multiple online environments and to automate
user access. Use e-mail analysis tools to
intercept and scan e-mail for possible security
Monitor networks for unusual activity.
Determine whether installing
additional security measures or systems
resources, such as RAM, would reduce the impact
of a hacker attack. Also, use intruder detection
software to maintain overall awareness of
possible threats to systems—for example,
surreptitious large-scale incursions during
Consult the Internet service provider.
Determine whether it can block
attacks before they reach company systems.
Inform the proper authorities when
systems are violated. Stress
the importance of preserving system activity
logs, which may help identify intruders.
Assurance Services Division, 2000. For information on CPA
WebTrust, go to www.cpawebtrust.org