How do you see Internet security practised in India vis-a-vis that in other countries?
Concerns about Internet security are consistent across nations given the worldwide nature of the Net. We have observed that websites based in India are yet to demonstrate a strong inclination towards security. It is certainly higher on the list of priorities in American and European Corporations. But then, the Net is also a more evolved medium in those countries vis-a-vis India. According to Ernst & Young's 6th Annual Global Security Survey, western corporations are investing up to 30 per cent more in Net security compared to their Indian counterparts.

Although, security intrusions take place, most of them are not reported. Can you estimate the level of security intrusions in India?
Agreed, not all security intrusions are reported. We at Ernst & Young attempt to gather such crucial information through our Annual Global Security Surveys, which run across 35 countries. In India, we polled 150 professionals. In the latest survey, only 3 per cent of the Indian respondents reported that their websites were broken into. As many as half of these noted that the break-in did not result in any financial loss, but proved disruptive for business.

What security measures are most common in India? Are these measures enough to state that India sites are secure?
The common security measures here currently are firewalls, which are devices that monitor incoming traffic, and secured socket layer (SSL) technology, which makes Internet browsing secure. According to Ernst & Young estimates, 19 per cent of the respondents polled for the Annual Global Security Survey in India, had firewalls and only 5 per cent were using SSL technology for Internet browsing.

Whether these measures are reasonably "safe", again depends upon the security-enabling technology that a company may opt for. The Internet opens a website to intruders from across the world, who have access to the latest technology worldwide. "Reasonable" as a level of security, therefore, becomes inadequate. Indian sites need to follow the latest developments in the security arena. To start with, a firewall is good, but a company needs a more holistic solution to secure its presence on the Internet.

Today, security is compromised by the use of credit cards on the Net in the absence of verification and authentication. How do you view this threat?
Credit card fraud over the Internet is a rampant phenomenon in the West, but it is still to reach alarming proportions in India. Credit card companies in India have only recently started using the Net as a payment channel and given that most of these companies are foreign banks they are well versed with technologies like SET (Secure Electronic Transmission), Secure Socket Layer (SSL) and data encryption. The reason these companies have not been attacked here is that attackers have not shown an appetite for Indian sites, but as the recent theft of Bill Gates' credit card details from a website shows, no one is fully secure.

Credit Card companies can issue Personal Identification Numbers to card users for authenticating the identity of card usage on the Net. This will further ensure the integrity of a customer transaction. While this sounds simple enough, there are instances of companies having overlooked such requirements in their hurry to be the first in the marketplace.

How can a B2C company minimise this threat?
B2C companies can refine their processes to ensure that all data and transaction processing at their end is secure. They can ensure that they are receiving authentic information from the payment mechanism, be it credit cards or e-cash tokens. Software solutions that encrypt data and authenticate and verify users are available. But we would advise a B2C company to look at a holistic and dynamic security solution.

How do you view privacy on the Net? Do you think dot.com companies in India take the privacy matter seriously?
Providing personal data to dot.com companies is the same as providing personal data to a credit card company when filling an application. Customer profiles are critical for deciding future business offerings. However, if dot.coms are serious about the privacy of their customer data they will be well served in assuring their customers by signing confidentiality agreements with them regarding the non-disclosure of their personal information (if the customers so desire it). Sometimes, even customers stand to benefit as they are exposed to more information. But where does one draw the line? The customers should decide and dot.com companies should respect customer preferences.

How are threats like distributed denial of service (DDOS) prevented? Are Indian companies geared to face such security intrusions considering that sites like ebay, yahoo, etc., who have spent millions on security, have not been able to prevent it?
As you may know, denial of service (DOS) attacks are virulent and dangerous, since a website is requested for amounts of information it is unable to process resulting in the website crashing. These are the attacks responsible for the many outages reported recently in the press and others that have been kept more secret.

One innovative solution that is currently being deployed involves taking steps to stop your own computers from being used anonymously to attack others by firstly not showing your Internet Protocol (IP) address outside your network and secondly allowing packets with only your IP address to travel outside your network. These steps will stop your computers from being used as tools in a denial of service attack but they will not make your computers immune from such an attack.

Indian sites can follow the example of Amazon.com and MSN.com, which had backup servers on standby and suffered minimally during these attacks. In this dynamic technological environment, challenges to security are evolving quickly and the attacks on e-bay and yahoo only go to show that no one can claim to be fully secure.

What is the estimated size of the Internet security market?
The current size of the global information security market according to Emerson's Professional Services Review 1999 is estimated to be around $9 billion and given that the market is dynamic with various emerging technologies, an assessment of the value of the e-commerce market is difficult to make.

What is your role in ensuring security in the Internet world?
Ernst & Young has a full-fledged Information Systems Assurance and Advisory Services (ISAAS) in 133 countries now. We have been in India since 1995 and have more than 45 information security professionals working across cities.

Within e-security, Ernst & Young is offering in India our e-commerce Trusted Third-Party Services, which focus upon assurance and attestation for electronic commerce applications. Here, we analyse the hardware, software, implementation methods, and processes comprising a company's e-commerce approach. We help build trust in a number of ways like Cyberprocess Certification (CPC) and Digital Certificate assurance.

Our e-commerce Advisory Services focus on the strategy and design of effective and secure electronic commerce applications. Our professionals help analyse and develop electronic commerce-driven business plans, related strategies, and sound technical architectures. Our strategies can employ either customised or packaged technical solutions to meet your needs. Our exclusive e-commerce Diagnostic tool coordinates internal and external reviews to help assess a company's electronic commerce state and begin to chart a course for the future.

Internationally, e-commerce Secure Host Services are also offered, where an EY-owned site may host and maintain e-commerce applications, designed for organisations that require a highly secure electronic forum, such as during litigation or mergers and acquisitions.

We develop the enabling software/hardware product mix, supply the infrastructure to host the solution, and provide secure and reliable access to the site.

This service enable Communications hosting, Document-sharing and transmittal, Extranet and work-group collaboration, Virtual meeting space, Document archives with non-repudiation.

How does certification of sites help in increasing security?
The reason why more and more of our clients want certification is because it provides them an independent trust seal necessary to build credibility with business partners and customers and certifies attestations made by site managers which include security. Certification reinforces the security efforts taken by site managers.