Home > RSM Resources > Articles > Advantage > Information Technology > Communication and technology are keys to building trust in online business transactions

RSM Resources

Back to RSM Resources
Information Technology
Communication and technology are keys to building trust in online business transactions
 
Communication and technology are keys to building trust in online business transactions

Once upon a time, securing business assets and transactions required tangible tools such as armed guards and sturdy safes. In today’s world of Internet shopping carts, digital encryption and online "phishing" scams, companies still struggle to implement safeguards and bolster client trust. What has changed, however, is how organizations meet such challenges.

Owners and executives of midsized businesses must work ever-harder to balance the convenience and efficiency of doing business online against the risks such transactions pose. Meanwhile,they have to demonstrate that customers’ information and money are secure.

The following information will help you evaluate whether online business is a good fit for your midsized company, and will provide tips to help you mitigate risks and build trust with your clients and vendors.

Risks and rewards
From sales and service to supply-chain management, more business is conducted online every day by midsized companies, and more customers are making market decisions based on the availability of online tools. For example, the online research company eMarketer estimates that 40 million U.S. households will bank online in 2006, with 5 million more coming on board each year thereafter.

While no one denies the convenience and efficacy of doing business online, online transactions frequently require transmitting financial data and other private information. Companies that fail to properly develop and institute appropriate security measures to guard that information can face dire legal and financial consequences as well as clients who brand them untrustworthy.

So how do you design a system that seals all security holes, protects against accidental misuse, and instills maximum customer trust and confidence? You can’t, experts say. No system is foolproof no matter how diligent you are. If the risk of a security lapse is too great,don’t take it. But before you start taking all your computers offline, follow the steps below to determine whether some careful planning and straightforward safeguards can help bring your company’s online security risks within acceptable levels.

Conduct a risk assessment
The first step to analyzing online business risks is determining what those risks might be. Using either an internal or external auditor, conduct a thorough assessment of all current and potential online activity your business engages in or will engage in, including worst-case scenarios about what would happen if information you process were misused.

When conducting a risk assessment, be sure to account for any state or federal regulations that might affect you or your industry. For example, many financial institutions have been re-examining their online banking security measures since last fall, when the Federal Financial Institutions Examination Council called for a review of security procedures. The health-care industry likewise must comply with regulations included in the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996(HIPAA), which imposes strict standards for protecting patient information and privacy.

Also, make sure you research and track any state and federal laws that may apply. California is the only state that allows customers to pursue civil action against companies that deliberately or accidentally leak their information, but several other states are preparing to follow suit.

Classify your company’s information
If you don’t already have a system, experts advise creating a classification structure for your company’s documents and information to help you uniformly identify, store and process secure information. Government agencies already have such a system.

Experts say most companies would require only a three-tiered structure, while highly regulated or extremely complex companies may warrant more. An example classification structure could be:

Public. No restrictions guide who sees this information. Examples might include marketing brochures or advertisements.

Confidential. This information should not be shared outside the company. Examples might include employee personnel data and customer account information.

Secret. Only a few people with appropriate clearance should have access to this information. Examples might include information on a pending merger or acquisition, or ongoing strategic plans.

Install latest security tools
Security risks and tools often run neck-and-neck in the online security race as they try to outpace each other. It’s important to keep current with the latest developments of both to make sure you protect your systems as well as possible. Installing firewalls and encrypting transaction data to virtually wall off your most sensitive computer files are crucial steps to thwart all but the most sophisticated and motivated hacker.

Review your processes
Your systems may be safe from external hackers, but are they safe from your employees? Can a single employee initiate a wire transfer for large amounts of money? Are your financial systems password-protected for only selected individuals rather than everyone? When searching for online security gaps within your company, make sure you examine your internal processes as well as your technological safeguards.

Educate your clients and customers
"Phishing" is one of the most insidious fraud practices on the Internet, and no amount of system security tools will protect your clients and customers from it. Phishing is the practice of sending bogus e-mails purporting to be from a legitimate business (like yours). Phishers entice customers to reveal personal information such as user IDs or credit-card numbers. Its equally insidious counterpart is "pharming," which uses an Internet-address ruse called "domain spoofing" to trick users into thinking they are on a legitimate company’s Web site and can safely enter their personal information.

Corporate targets of phishing and pharming invariably suffer tarnished reputations and diminished customer trust, regardless of who perpetrated the crime. One way to mitigate fallout in the event an attack occurs is to build trust with your clients and help educate them about your company’s security measures.

For example, make sure your customers know how and when you will contact them, and what information you might request from them. You may want to warn them not to respond to any e-mail claiming to be from your company that requests credit-card numbers, Social Security numbers or any other confidential information — and tell them whom to notify if they receive such a request.

Good communication can be just as important as careful system design and current tool implementation in instilling customer trust of your online business capabilities.

RSM McGladrey Inc. and McGladrey & Pullen LLP have an alternative practice structure. Though separate and independent legal entities, the two firms work together to serve clients’ business needs. RSM McGladrey is not a licensed CPA firm.

RSM McGladrey Inc. is a member of RSM International - an affiliation of separate and independent legal entities.

2007 RSM McGladrey Inc. All Rights Reserved. Contact us toll-free at 800.274.3978