Introduction

Today's economy is fundamentally different from yesterday's. We are living in the Information Society where wealth comes from being connected. E-commerce is no longer a theory but a reality. Industry analyst, Gartner, predicts that the value of business carried out using the Internet in the U.K. will rise from $12 billion to $235 billion in just four years - representing a massive 20-fold growth. Indeed, the U.K. government aspires to make the U.K. the best place in the world for e-commerce and has a target to have one-third of all connected businesses trading online by 2002.

In a world where only the fittest survive, getting it wrong can be life threatening. After all, a staggering two-thirds of the companies listed on the Fortune 500 index in 1954 had either vanished or were no longer big enough to make the list forty years later. So, as companies large and small embrace the opportunities presented by the Internet, are they, and the investment institutions that back them, taking account of the threats posed by making their organizations accessible to all?

As a company whose raison d'être is to enable organizations to maximize the rewards, while minimizing the risks of the new economy, Vistrom wanted to investigate just how seriously today's business and investment worlds are trying to balance the risks and rewards presented by the Internet revolution. Because of the pervasive nature of the Internet, most organizations have opened their business to Internet transactions and communications. Around 378 million people (NUA Internet Surveys) are currently connected in today's global village. The increased proliferation of Internet access and related intranet/extranet use has significantly increased the risks organizations face in terms of IT related security threats.

So, what role do senior executives play in ensuring their IT infrastructures are secure enough not to pose a threat to fundamental business processes? During the 90s the Greenbury and Cadbury codes set out principles of good governance and best practice for corporations. Within these codes, directors have various liabilities including responsibility for protecting company assets and shareholder interests. More recently, the Turnbull Report goes deeper into laying down internal control requirements including a review of the system of internal control and reporting to shareholders. Whilst previous guidance has alluded to risk management, the focus has now moved considerably towards placing not only greater, but particular, emphasis on the management discipline of risk management. Indeed, in a recent report, Gartner wrote, "Done correctly, information security is all pervasive within the enterprise, done incorrectly, or not at all, it can cost you your business."

High profile viruses like the 'LoveBug' and the 'Christmas card' have shown how easy it has become to pose a threat to businesses of all sizes. And, how potentially damaging an apparently innocuous virus can be to the viability of a business if it undermines the core operations of the business or damages its reputation or brand value.

The following quote from New Media Age in August this year reinforces the cost of getting it wrong. "When online auction house eBay suffered a 22 hour outage last summer, the stock spiraled downwards by 26 percent and the company claims to have missed out on more than $5 million in revenues from lost sales … the correlation between eBay and your company may seem spurious. However, if you're planning to adapt your business model to suit the new economy, then uptime will be just as valuable to you in a few short years. Even smaller businesses cannot hide from this trend, since they will be increasingly called upon to integrate themselves into larger supply chains."

Because of these pervasive threats, directors and the fund managers who are entrusted with the savings of the average man in the street, need to demonstrate that they are taking the IT and Internet security issue seriously. This is particularly important when one takes into account the fact that about 70 percent of all security breaches come from inside the organization - whether intentionally or unintentionally.

So, how do these two communities match up to this challenge? If the DTI survey published in April 2000 is an indicator, not too well. The survey showed that some 86 percent of companies do not have a security policy. Vistorm decided to see what lay behind the results of the DTI survey.

Objectives

The survey was designed to address the following issues:

• examine to what extent IT/Internet security is taken into account when assessing companies for investment;
• investigate the level of understanding within the investor community of the risks to the business and, therefore, investment funds associated with IT/Internet security;
• establish whether decisions are based on an appropriate assessment of risk;
• determine to what extent fund managers are dependent on the information provided by directors for making sound investment decisions;
• assess how adequately directors are protecting shareholder interests and company assets by embracing the corporate governance recommendations of Turnbull.

Methodology

Vistorm decided to look at the perceptions of fund managers because of their pivotal role in the wealth-creation process and the impact that their decisions have on everyone - from the man in the street to the largest corporation.

A qualitative survey was conducted by Aspect International Consulting during July 2000 and a quantitative survey was completed in October 2000. The objective of the qualitative research was to gain insight and understanding into the issues associated with fund management with the intention of quantifying the main issues using the quantitative survey.

A representative sample of 50 fund managers, with specific responsibility for pension fund management were interviewed in the quantitative survey. The organizations, for which these fund managers work, were sourced from the FMA membership list and a list provided by AP Information Services of Pension Funds and their advisors.

Executive summary

The research findings highlight profound corporate governance and investor protection issues:

1 IT/Internet security blindness

The absence of a formal disclosure process may leave investors exposed to unnecessary and unacceptable risks.

If delivering increased shareholder value is the top priority, then business leaders should be balancing the desire to grasp opportunities with the need to install the business systems and policies to minimize threats as much as possible.

The survey reveals that whilst twice as many fund managers are concerned about IT security than there are businesses with an IT security policy, the majority of fund managers appear not to be concerned with the risk of security breaches on company performance. The key reason is the lack of a standard reporting method and the inability to verify the information. So it would seem that we are in something of a Catch 22 situation. Until a formalized process is set in place by management that enables fund managers to draw like-with-like comparisons, the investment community will be unable to evaluate how watertight today's corporations are against IT and Internet security breaches.

• 72 percent of fund managers give only minor consideration, or do not consider at all, the threat of Internet-related security breaches when making investment decisions.
• 80 percent of fund managers do not feature IT and Internet security highly in their assessment of investments - the remaining one-fifth does feature it highly.
• Two-thirds of fund managers, however, see IT and Internet security as being important or more important than the other criteria they study when assessing an investment opportunity.
• The reasons cited by fund managers for not assessing the risk of IT and Internet security are:
• 36 percent feel that there is a lack of appropriate information;
• 34 percent claim that the absence of a standardized process hinders evaluation;
• 30 percent feel that as the information that is received is not verifiable it cannot feature highly.
• 54 percent of fund managers say that if there is a standardized reporting method then they will consider Internet security in investment decisions.
• the vast majority of the respondents (86 percent) expected organizations to already have an IT security plan and policy in place to react to breaches. This is particularly significant when you compare it to the DTI's Information Security Breaches Survey 2000 that questioned 1,000 UK organizations and found that only 14 percent of organizations already had a formal IT security policy in place. It also found that nearly three-quarters of organizations that had suffered a serious security breach had no contingency plan to deal with it.

2 Potential risks to core business systems are seen as trivial

Despite the fact that we live in a knowledge-based economy, the survey exposes that there is a general lack of understanding amongst the investment community about the precise risks to an organization's core systems from security breaches. Indeed one-fifth see the potential damage as trivial. And only eight percent believe a security breach would impact revenue or profit by more than £1 million. This perception is brought into stark focus by the latest Datamonitor report. It estimates that damage to e-business from security breaches is running at $15 billion annually and PricewaterhouseCoopers puts its estimate of global damage at $1.6 trillion!

The core problem is that many do not appear to understand how an Internet security breach can impact on the fundamental systems that keep the business running, except where the business trades online or works in the financial services sector. This is backed up by the recent DTI survey, which found that over 30 percent of organizations did not realize their information was either sensitive or critical and was therefore a business asset.

This raises cause for concern in the light of recent high profile security breaches at large organizations such as major retailers and banks. It also highlights the fact that many such damaging breaches actually come from the inside - often unintentionally. The DTI estimates that 70 percent of all breaches come from within the organization.

So it would appear that just as with children, learning from others' misfortune is simply not enough to drive home the message. The IT industry must now play a far greater educational role and explain to the market the inherent risks associated with leaving mission critical business systems exposed in the race for competitive advantage in the new economy.

• One in five fund managers consider that security breaches will not affect the profitability of an organization.
• Almost one-third expect blue chips to be covered so do not feel the need to worry about the impact of a security breach.
• Paradoxically, 46 percent of organizations expect that the impact of a security breach will increase with the size of an organization.
• 57 percent of the sample perceive that IT security plays a greater role in the assessment of funds within the banking and finance sector and 15 percent cite any online business. The recent Cap Gemini Ernst & Young survey into financial services companies, identifies that security has been dwarfed by the need to get e-commerce offerings to the marketplace fast enough to hold customers and retain market share. Alarmingly, despite a string of recent Internet security scares, only four percent felt that security was important.
• About a quarter of fund managers perceive that Internet/IT security is important to all business sectors. Other answers to the survey point to this proportion of the fund management community being much more aware of the issues - showing that the message is being received more quickly by fund managers than by business leaders (only 14 percent of companies have an IT security policy).
• Disturbingly, 11 percent see Internet security as NOT being important to any sector at all.

This raises the question about who should be responsible for identifying the risk for investors. Should fund managers be more meticulous in their research? Or is it incumbent on directors to make those that invest aware of the potential hazards rather than allowing them to remain in blissful ignorance?

Recent consumer behavior shows that the general public will mobilize against organizations that they believe have not acted in their best interests. The recent calls for airlines to highlight the health risks of long haul air travel shows that non-disclosure of risk is not acceptable in today's society.

In the past, IT and Internet security has been sold as a 'threat insurance', which may be why some companies tend to make security a priority only when they have an incident or when a new virus emerges. If an organization does not fully understand the threats, it is less likely to put budget into security.

So in the new economy, success may actually come from managing risk more effectively than chasing opportunities. Smart companies embrace risk, look for more of it, and figure out how to do business in the face of it.

But while directors are taking risks every day, they are not explaining the full importance of these risks to the people who take risks with savers' money - thus compounding the potential exposure to failure for the average man's pension or savings.

To reinforce this point, 52 percent of fund managers said that if they were aware that a security breach would impact on everyday operations it would have a significant or major impact on their investment decisions.

3. Caught in the knowledge gap - hawk-eyed fund managers lead the way

It is evident from the responses to the survey that there are three types of fund manager emerging:

• Fund Hawks - About one quarter is security risk aware and thoroughly professional about taking IT/Internet security implications into account. 18 percent are primarily concerned with the threat of security breaches in investment decisions. 26 percent believe that IT security plays a greater part in investment decisions for all sectors, which is more than double the percentage of companies with an IT security policy - making fund hawks role models for business leaders;
• Fund Pigeons - Around half of the sample are caught out by the knowledge gap (because they do not have access to information and rely on directors to disclose risks), they have only minor concerns about the impact of security breaches on investment decisions;
• Fund Ostriches - Approaching a quarter bury their heads in the sand and are consequently risky people to have around. The survey shows that they are complacent about the risks and are not concerned at all about the threat to investment from IT/Internet security breaches.

Only 8 percent of fund managers believe that security breaches will cost a business more than £1 million in lost revenue or profit. PricewaterhouseCoopers estimates the global damage to be $1.6 trillion.

Security breaches from the Internet could seriously impact investment performance moving forward. Computer Economics estimates that the 'LoveBug' virus caused £6 billion-worth of damage on its own. Gartner believes that 80 percent of all companies in the world will have suffered a security breach already this year. Whichever estimate is correct, the reality is that businesses are suffering much more than fund managers currently believe to be the case.

• The threat of IT related security breaches is considered as a primary concern for 18 percent of fund managers. Tellingly, to 48 percent it is only of minor concern and almost a quarter do not consider it as part of their investment criteria at all.
• Two out of four fund managers, however, rate IT and Internet security as more important than other assessment criteria. A further 26 percent see it as important and 32 percent as less important.
• Currently, a substantial number of fund managers (32 percent) do not find out about a company's IT and Internet strategy. An additional 32 percent speak to the company's management team but do not appear to follow this up.
• A significant 80 percent of fund managers do not feature IT and Internet security highly in their investment decisions.
• If there were a standardized reporting method for IT and Internet security, however, a reassuring 54 percent would consider it in their investment assessment.

4. Directors ignore at their peril the need for a published IT/Internet security policy

Under the Cadbury and Greenbury Codes of Practice, the directors of a company have a responsibility to ensure that they protect the company assets and also shareholder interests.

Now the Boards of Directors of UK listed companies are studying the latest Corporate Guidance for Internal Control (known as the Turnbull report) published by the Institute of Chartered Accountants. While previous guidance has alluded to risk management, the focus of the Turnbull report moves considerably towards placing particular emphasis on the discipline of risk management. This is illustrated by one of the report's main objectives to develop guidance that:

"Identifies sound business practice, linking internal control with risk management, which when applied will enable the requirements of the Combined Code to be satisfied."

In today's increasingly competitive and global world, businesses must learn to be proactive rather than reactive to risk. It is imperative that businesses establish the exact status as to how effectively they are managing risk across the organization by creating and publishing a policy on IT/Internet security. In the context of the survey, fund managers recommend disclosure of security policies that will enable them to make sound investment decisions.

To ignore this fundamental requirement may leave directors open to sanction under the Turnbull guidelines or other corporate governance rules now embodied in company law. It could also leave them exposed to lawsuits from aggrieved consumers or investors.

The survey shows that some fund managers are looking at this issue right now and others would value access to published policies. More importantly for directors, the survey shows that security breaches will encourage fund managers to question the quality of the management team in place and review their investment decisions.

Businesses that are not prepared to comply with this policy stand to be re-rated downwards and seen as a bad risk with maverick management.

• 86 percent of fund managers expect a security plan to be in place already.
• 68 percent of fund managers said that it would influence positively their rating of a company if an effective security plan was in place.
• With security breaches becoming more frequent, and the prevalence of virulent viruses such as the LoveBug, over half of the fund managers (52 percent) recommend that business leaders should publish a clear IT security policy to demonstrate that they are protecting shareholder interests.

The management team is already under the microscope as:

• 62 percent of fund managers review the management team when assessing investment opportunities;
• 32 percent of the respondents talk to the management team to find out about the company's IT and Internet security strategy;
• 42 percent of those surveyed would question the quality of the management team if a security breach did occur within an investment portfolio;
• 42 percent of the respondents admit that they would investigate the management team further before investing in potential investment opportunities;
• 64 percent said that a security breach would introduce an element of doubt and affect their opinion of a company's management.

5. Challenge of quantification leads to ignorance about the issue

One of the major issues faced by the investor community is the difficult task of being able to precisely quantify the risks associated by not having access to information about IT and Internet security. For a combination of factors identified below the majority of fund managers tend to ignore this issue when taking their investment decisions.

• 33 percent of fund managers perceive security breaches as being too unpredictable to affect investment decisions.
• 20 percent of respondents feel that a security breach would not affect the profitability of an organization so do not take it into consideration.
• Most of those surveyed (62 percent) were not able to quantify the impact on lost revenue or profit if a security breach occurred in one of the organizations within their investment portfolio.
• Only 8 percent felt that the impact would be more than #1 million and as many as 26 percent less than #100,000. Fund managers were not alone, the DTI survey found that very few organizations could assess the true business implications of security breaches suffered. Those that could indicated that the cost of a single breach was in excess of #100,000.
• 20 percent of fund managers say that IT and Internet security does not feature highly in investment assessments, as it is trivial compared to other criteria.

Rather than a purely financial loss, there is a range of other issues such as delayed delivery of contracts, lost opportunities, legal and contractual liabilities incurred, loss of customer confidence, loss of trust and damage to brand value that need to be evaluated in the future.

6. Enlightened versus complacent approach

The survey reveals contradictions of opinion from the investment community about IT and Internet security. While some admit that they do not take security protection into account and that it would not make any difference to investment decisions; there is a significant number who viewed Internet security as more important than any other criteria and if appropriate would pull out of an investment.

This highlights the contrast between the enlightened new breed of fund managers who understand and evaluate Internet security risks; and those who appear indifferent to the potential damage.

• 24 percent of the sample claim that a security breach would either have no impact or they would take no action with regard to an existing investment in a company.
• As far as potential investments are concerned, 66 percent of the audience stated that when faced with a security breach they might question the management team, however they would still go ahead as planned, with some admitting that it would have no impact whatsoever.
• Conversely, there was a small percentage who revealed that they would either pull out of an existing or potential investment when confronted with a security breach.
• Two-thirds of the fund manager sample saw IT and Internet security as being as important or more important than the other criteria they studied when assessing an investment opportunity.

7. Act of God or a pervasive risk of the new economy?

Many of the investor community view the likelihood of security breaches as unpredictable rather than probable. This shows exactly how hard the IT community needs to work to bring fund manager perceptions in line with reality.

Current estimates say that there are 15 new viruses every day - totaling over 5,000 every year. And these only represent the external threats. The DTI estimates that seven out of 10 threats that an organization will encounter will come from internal sources rather than external ones.

The DTI survey revealed that 60 percent of organizations have suffered a security breach in the last two years. Of those organizations who have critical or sensitive information, 43 percent had suffered an extremely or very serious breach in the last two years.

So, far from being an Act of God, the probability of a security breach - and the consequent damage to company value and performance - is extremely high. The IT industry needs to do much more to explain the full impact of business damage through security breaches.

Similarly fund managers need to be more demanding of companies when it comes to providing reliable information on which to base their investment decisions. 33 percent of fund managers admit that security breaches are too unpredictable to be considered in investment decisions.

8. 21st century business environment demands inclusion of new investment criteria

The most common responses from fund managers about the criteria they consider when assessing investment opportunities included:

• performance trends;
• financial track record;
• management team;
• market position and market share.

All of these top criteria would be impacted severely in the event of a security breach that adversely affected the fundamental systems in a business or the way customers were treated.

Loss of transactions can have a serious impact on value even without taking into account the brand damage that would be associated with the loss of performance or service. Failure to ensure a secure e-business environment for customers will result in brand depreciation - something that is nearly impossible to regain and will impact on the company's future performance and value.

The financial track record of an organization is a window on historical performance. In an age when not being connected to customers and suppliers is no longer an option, future performance - and how an organization manages risks to guarantee future performance - must become the primary investment criterion when assessing risk and potential.

Conclusion

In today's connected economy, it is unacceptable to ignore the implications of inadequate IT/Internet security policies, plans and procedures. This must be seen as 'a risk too far' for companies, shareholders, fund managers, regulators and the man-in-the-street.

This survey shows that while IT departments are working hard at a technology level, IT security has not yet made its way into the boardroom as a pivotal strategic business issue that demands attention from all directors. Until it does, fund managers will find it hard to assess the true potential of an investment. And, with British business dependent upon the capital that fund managers have at their disposal, it is essential that action be taken now to remove any sense of uncertainty, for the benefit of all stakeholders in UK Plc.

Recommendations

As a result of the insights provided by this survey, Vistorm recommends that:

• directors and investors recognize that there is no such thing as a totally safe IT system, which is why directors need to create a culture of constant vigilance;
• British businesses recognize that the majority of risks (about 70 percent) come from inside an organization through breaches in its security that are both intentional and unintentional;
• British businesses recognize that IT security is not just electronic but also embraces personal, procedural and physical requirements;
• British businesses carry out an urgent review of their current IT and Internet security policies and create one if one does not exist;
• as a first step to greater vigilance, British businesses adopt BS7799 as a framework for IT security and then progressively raise the bar;
• IT security, and the related risk management process, is discussed by the board on a regular basis and a formal policy communicated to fund managers to assist their own risk assessment process;
• British businesses have an independent organization try to breach their security systems on a regular basis so that an accurate risk management assessment may be made, improvements may be implemented and so that directors have audited facts to disclose;
• work on international standard ISO17799 is accelerated so a standard designed for the needs of the new economy is available as soon as possible;
• the IT industry partners with important influencing institutions such as the Confederation of British Industry, Institute of Directors, the Fund Managers Association and the Computer Services and Software Association to ensure that the business community fully understands the true status of business risk from IT security breaches;
• the IT industry explains that it is every business not just e-businesses that are at risk from IT security breaches;
• the IT industry contributes to the corporate governance debate surrounding the risk management and disclosure issues for IT security as an extension to the Institute of Chartered Accountants initiative on risk management;
• investment trusts look closely at their investment criteria to ensure they do not fall foul of future sanctions because they are deemed not to have taken appropriate care over investment decisions;
• directors look closely at their disclosure of risk so that they do not fall foul of current or future corporate governance laws;
• rather than threat prevention, IT and Internet security be seen as a critical risk management discipline;
• risks assessments carried out look at the impact on current and future assets - both tangible and intangible - such as business operations, intellectual property and brands.

Bibliography

1. Gartner prediction on growth of e-business - Europe's rocketing Internet economy - BBC News - news.bbc.co.uk
2. NUA Internet Surveys - www.nua.ie/surveys/how_many_online/index.html
3. Turnbull report - Institute of Chartered Accountants - www.icaew.co.uk/internalcontrol/turnbul.pdf
4. Information Security TCO: The Risk Trade-off - Gartner Research
5. DTI Information Security Breaches Survey 2000 www.dti.gov.uk/cii/datasecurity/
   informationsecuritybreachessurvey2000
6. Datamonitor white paper - eSecurity: - Removing the Roadblock to eBusiness
7. PricewaterhouseCoopers report - reported on vnunet.com - Hackers and Viruses to Cost Business $1.6 Trillion
8. Cap Gemini Ernst & Young ninth annual global financial services survey - Electronic Commerce: a Need to Change Perspective - www.uk.cgey.com/news/pr2000
9. Computer Economics predicted as reported in article Counting the Cost of the LoveBug on vnunet.com

Vistorm (formerly ESOFT Global) was established in 1991 to provide sophisticated IT business solutions to the corporate user. Today, the company is acknowledged as a world leader in the provision of managed Internet services. Vistorm specializes in managed Internet security and managed Internet applications (otherwise known as application service provision (ASP)) and these services enable customers to operate and extend their businesses securely in the online business world.
 

SC On-Line
SC Magazine
www.scmagazine.com