EDITOR’S NOTE: This article by Tom Ridge was based on remarks he made as the keynote speaker at the Merchant Risk Council’s 7th Annual e-Commerce Payments and Risk Conference held in March 2009 in Las Vegas. The interview portion on page 21 was conducted following his talk.
Risk management is not a concept that many people think about, but in our own lives we practice it every day. For example, at what level are we going to insure our home? At what level are we going to take a risk that if our home is destroyed, we may not fully recover?
At what point do we decide, “I’m just running to the drug store. It’s two or three blocks away. Do I need to put my seat belt on?” Or, “I had a flu shot last year. I don’t need it this year.”
Or how about our friends who are on the golf course on the 18th tee, and they are having the record round of their life. Storm clouds are gathering, lightning is sprouting all around, and yet they choose to finish the round despite the danger.
Risk management. People practice it all the time, but they do not necessarily think about it as a management process.
Amidst talk of the economic crisis, we were recently reminded of the strength of the human spirit and saw firsthand how powerful the will to succeed can be when Captain Chesley “Sully” Sullenberger landed that full plane with perfect precision on the Hudson River. He turned his Airbus A320 into a glider, hurling to the ground at more than 270 mph. It is remarkable when you think about it. With odds obviously against him, Sully and his crew heroically rose to the challenge, saving everyone on board.
Many call this a miracle. But if it is, I would like to think it is a miracle of effective risk management; a miracle of skill, training, professionalism, clear-headed thinking, and focus on mission. Captain Sullenberger’s accomplishment is an inspiration in coping with great uncertainty and risk and rising to meet the challenge.
Today’s economy is a huge issue and concern for all businesses and individuals. One of the fastest growing crime zones during these tough times is e-commerce and the vast communications network called the Internet. And so, it is the responsibility of risk and security professionals and, indeed, of all company executives, to manage the risk of e-commerce crime and to ensure that their enterprise lands safely.
What Does It Mean to Manage Global Risk On-line?
Our nation’s economic strength has long underpinned our national security and freedom. Today, information technology, including our e-commerce “plumbing,” is mission critical to about 85 percent of our economic infrastructure and, therefore, a healthy economy. Defending this vital infrastructure is a challenge shared by the government and business sectors.
This is a serious, collective responsibility as we try to protect consumers who want e-commerce to be effective, efficient, and secure. But we have to remember, at this point, e-commerce is still in its infancy. The e-commerce infrastructure is not as secure as it needs to be, and e-commerce generally is far from risk free. It is important that the business community, and the nation overall, understands the true cost of e-commerce fraud. We read about it in the newspapers and see it on television. It is palpable, tangible, and painful. It is the gorilla in the room.
When a company begins selling on-line, it begins to be engaged in a global conversation. Its web site can be accessed from anywhere. Even if a company only sells domestically, being connected to the Internet means it can be attacked and hacked from anywhere.
The ubiquity of the Internet is its greatest strength and greatest weakness. The Internet is the nervous system of a globally interdependent marketplace. Even in these challenging economic times, our future prosperity requires virtually all companies to stay connected. Surprisingly, there are some CEOs who do not quite understand or accept that reality.
That is gradually changing, however. For example, not that long ago, I talked to a transportation executive who said “I actually run an information technology company. Everything we do in our operations is based on information technology and the Internet. It just so happens that my company runs trains.”
He’s right. Information technology is the backbone of everything we do and every decision we make. When we think of critical infrastructure in a time of terrorist threats, we usually think of it in terms of bricks and mortar. However, arguably the most critical element of any physical infrastructure is cyberspace
Need for Engagement
Some people view the economic challenges we face today and look inward. They argue for political isolationism and economic protectionism. I would argue that Americans must take these challenges head on and engage the world more aggressively, not less. We must engage the world diplomatically, economically, and in every conceivable way with more determination than ever before. Our future security and prosperity is forever more interdependent on the future security and prosperity of the rest of the world. We cannot become economic isolationists or protectionists.
In this post-9/11 era, our world has become smaller and more complicated. The indisputable influences of globalization have created a more vulnerable, more complex interconnected world. We can no more ignore India, Russia, China, or South America than we can our own home market. This is a reality made evident by the rippling effect of the Wall Street meltdown and the mismanagement of some of the largest private financial firms that contributed to the current global recession.
Most public-sector organizations are already engaged globally. Those that are not are likely to be looking toward international expansion as a way to deal with falling domestic revenues. Whether none, some, or half of a company’s revenues come from beyond its national borders, all companies must recognize that risk in this interdependent world has no borders.
We must also recognize international risks may differ from domestic risks. One size does not fit all. Just as people can order goods from anywhere using the Internet, criminals are equally able to launch a text command for worm-infected zombie PCs to do their bidding and originate fraudulent orders from anywhere to anywhere.
From an e-commerce perspective, we also know that activities such as spam, phishing, and carding, all examples of data theft, lead directly to fraudulent customer-not-present transactions designed to convert stolen data into cash. This is also a not-so-subtle reminder that on-line commerce is a part of the nation’s critical infrastructure and losses to fraud can be directed to funding terrorist attacks against our country.
Crime as a Driver of Global Economic Risk
In fact, one of the toughest challenges faced by law enforcement and the private sector is understanding and dealing with organized crime as a driver of global economic risk. Fraud used to be more opportunistic and relatively unsophisticated. Fraudsters often worked alone. Today, e-commerce criminals collaborate in technologically savvy, electronically connected international rings that span borders; sharing and selling information about companies and their customers.
We saw an example recently when hackers broke into a global payment system, obtained data on 1.5 million gift cards as well as personal data records, including social security numbers for more than a million people. The problem is not going away. These incidents cause great damage.
Many companies are working hard at managing e-commerce risk and have actually lowered their fraud rates to as low as one tenth of one percent. Today, some companies’ losses due to e-commerce fraud are probably lower than a few years ago. However, it is important to recognize that the total cost of fraud is often construed much too narrowly.
Despite the tremendous growth in e-commerce over the past fifteen years, it represents 4 to 5 percent of the total U.S. economy, including business-to-business transactions. In a national economy estimated at just under $15 trillion in value, 4 or 5 percent is, indeed, a large number. However, experts estimate that at least half of all business in the future could be conducted on-line, which is ten times what it is today.
Inhibiting e-commerce growth, and, therefore, having a negative impact on the U.S. and global economy, is basic lack of trust in e-commerce and the on-line experience. Stories about and fear of e-commerce crime push consumers away. Phishing fraudsters posing as bankers scare people. Hackers from Eastern Europe breaking into banking and credit card payment systems and launching denial-of-service attacks against well-known brands strike fear in the hearts of people who think nothing of walking alone at night.
Unfortunately, standard fraud management practices employed in e-commerce sometimes treat good customers as if they are potential fraudsters. That has a negative impact as well. Companies use the tools they have at hand. However, requests for additional information from the on-line consumer, proof of identity, or refusal of business from good customers often annoy legitimate buyers and increase their trepidation about expanding the amount of business they do on-line.
One of the as yet unquantified impacts of cyber crime is not being able to leverage the efficiency that on-line commerce enables. It costs businesses in lost time, productivity, and the cost-savings of on-line stores versus traditional shops. Companies incur significant manual labor costs when they need to check orders that are suspected of fraud, even though the majority of those orders are accepted as legitimate after they have been examined. There is also the dissatisfaction that these checking processes cause when business from good customers is refused or when additional proof-of-identity information is requested and orders are delayed.
Nothing will more dissuade a customer from doing repeat business than an unhappy shopping experience, whether on-line or in a shop on Main Street. The challenge is not to treat all customers as suspects while still maintaining the levels of security needed to avoid a security breach and loss.
What Is the Lesson?
We know e-commerce criminals operate globally and work together sharing information about on-line weaknesses and vulnerabilities. If they succeed, they compromise the viability of businesses and jobs. That creates a dangerous world, but that does not mean we can or should withdraw from it.
On the contrary, again, America’s future security and prosperity is now and forever more tied with the security and the prosperity of the rest of the world. Of course, the risk-reward calculation associated with global engagement is substantially greater as well. As a country, we have been incident-free from terrorism since 9/11. But we can draw no unwarranted self-serving conclusion from this. Yes, we are better protected today, but we remain at risk. We should not be frightened, just realistic and determined. We cannot eliminate risk, but we can manage it aggressively; and we are.
The same is true in the private sector. An increasingly global private sector seeking more markets, jobs, and profitability becomes more vulnerable and subject to greater risk. The universe of potential risks grows every day. In government, we accept the notion that in spite of more people, more programs, and more technology directed toward preventing another attack, we are still managing that risk. We accept intellectually and emotionally the possibility that another attack could occur.
Globally connected businesses must embrace the same attitude and approach—identify the risks, assess vulnerability and consequences, and develop a plan to direct attention and resources throughout the enterprise should a vulnerability be exposed. We need to manage risk beyond customer expectations, and take a proactive versus reactive approach. It is obviously better to manage risk before it manages you.
Understandably, planning and deploying resources to handle a threat entail significant expenses that can impact the bottom line. Too often, a company’s board will hear its security chief argue that preventing e-commerce fraud is necessary, while its CFO points out that it is an expense, not an investment.
The good news is that more companies are starting to recognize that those expense dollars for security actually represent a wise investment. There is a slow and steady realization that the private sector must heed what has been demanded of the public sector—that a company must aspire to be a risk-intelligent enterprise and work to create a culture of resiliency within its operations. Employees, customers, and investors demand and deserve nothing less.
Just like homeland security, business security is an ongoing mission. The task of securing consumers and enterprises from on-line fraud is never ending. It is 24/7. While progress has been made, there is more to do. Continued progress depends on and is driven by the inspired ideas, creativity, and innovation of risk-taking companies in a very complex and threat-filled interconnected world. It’s not mission impossible, but it is mission critical. And we can complete this mission if we continue to work together.
Issues Important to Retailers
One-on-One with Tom Ridge
By Jack Trlica, Editor and Publisher
You have often emphasized the need for collaboration among nations and across public and private sectors in fighting e-commerce crime and cyber terrorism. What is your view of the Customs-Trade Partnership Against Terrorism (C-TPAT) program?
RIDGE: C-TPAT was quite an innovation at the time and has been important in developing partnerships for dealing with customs issues related to fighting terrorism. However, we need to do a better job with the quid pro quo. That is, we said that if merchant companies agreed to certain security protocols in advance, we would expedite access at the borders. We have made modest progress in that regard. Hopefully, once we get through the economic downturn and continue to promote the economic integration between Canada and Mexico, we will build more infrastructure to facilitate those who are willing to abide by these security measures.
Is it the government side or retail side that has the responsibility to make C-TPAT effective?
RIDGE: C-TPAT basically asks businesses to step up, cooperate with the government, and agree to certain security procedures. In exchange, we promised to facilitate the transport of goods across the borders. The private sector was very collaborative and cooperative. The private sector wants to make it work. We just need a push on the government side to make it work even more effectively.
There are members of Congress who are advocating 100 percent screening of cargo entering U.S. ports. Many retailers do not believe that will work.
RIDGE: There is no conceivable way to screen every container for every potential hazard to either commerce or security. The 100 percent requirement was predicated on the belief that all containers should be checked for radiological and nuclear material. Right now, there is no technology that enables you to do it in an expedited way or that has proven to be so effective that you would want to embed it into foreign ports before they loaded the containers.
How can retailers get more engaged with homeland security in a collaborative way? Not just in supply chain, but in physically securing malls or ensuring that the food supply is safe?
RIDGE: Individual efforts, although well-intentioned, will not be as effective as broader-based retail association engagements. When I was secretary, we worked with the sectors rather than individual companies to identify needs and best practices. From time to time, we disseminated information to individual retailers through their associations. I suspect that practice continues today.
Homeland security and retail security are about best practices. They are about risk management and the extent to which successful retailers share their best practices. Of course, all companies need to decide whether or not to invest in a particular security measure. That is the best way for them to interact with government—internally sharing best practices and then being alert.
Again, retail is all about risk management. People want to go to malls. Malls are obviously vulnerable, but I can not envision setting up an aviation-type security regimen to move people in and out of malls. It will never happen; should never happen. It is still more effective to employ best practices, such as surveillance, police, situational awareness, and making adjustments based on intelligence that needs to be shared by the government.
Do you think that shopping malls today are doing enough in that regard?
RIDGE: There are limits to what retailers can do to minimize the risk and still operate a profitable enterprise that is appealing to customers. Security and the economy intersect at our borders. Security and the economy also intersect at our shopping malls.
At what level do you raise security to the point that it impedes economic interaction? One of the notions that I would like to drive home to your readers is that in this post-9/11 world, we would encourage them to adopt enhanced security measures, greater sensitivity, video, maybe plainclothes security officers. I’m confident most of them have done that. But there is a point at which you must accept the risk. If there is specific intelligence information, then you may have to act differently. Other than that, you can impose only so much security without undermining economic interactions.
The president called me in shortly after 9/11 and said, “We did a great job on security at the borders, but we brought commerce to a screeching halt.” Well, we can do a great job at the malls, too. But then no one will want to shop there. So we need a balance between security and the economy.
There is legislation proposed to make organized retail crime a felony. It is interesting to retailers that some of those who are opposing that legislation are the e-commerce companies. Their claim is that it will impede their operations.
RIDGE: The Internet’s greatest strength is its ubiquity. That ubiquity is also its greatest weakness. We are going to see more organized criminal activity in e-commerce, not less. I do not know why anybody would be opposed to going after bad guys and throwing them in jail if they corrupt the system.