This report is one of four special studies published by e-Business W@tch in 2005, in addition to its sector studies. While sector studies present e-business developments from a specific industry's perspective, special studies focus on a particular ICT related topic, across sectors. This study has two objectives:
Since security mechanisms, and concerns of trust, are important aspects in e-invoicing, and because the analysis of both issues is largely based on results of the e-Business Survey 2005, the presentation of results on these areas has been integrated in one report. However, the topic of ICT security is broad and also covers areas that are not directly related to invoicing and payment processes. Therefore, the analysis is presented in two distinct parts that can be read and used independently from each other.
Results from the survey show that the mean time between security-related incidents with significant impact on an enterprise is well under 2 years in the most vulnerable sectors in Europe, such as tourism and IT services. Malicious software and unsolicited e-mail currently have the greatest impact, followed by failures of hardware or software and problems faced by providers of services to the enterprise, such as leased lines or Internet access. Though not by any means negligible in scale, the impact of employee misconduct or unauthorised access to systems is reported to be at much lower levels than damage from spam or component failure. Despite the evidently increasing burden of compliance with legislation and regulation, this aspect of economic impact is reported to be least frequent, although the overall cost is likely to be very high, and is concentrated in a minority of sectors.
Incidence of damage from breaches of security and other security-related costs vary with size of enterprise, but the trends of incidence with size are mixed in direction. It is clear that in many cases the level of threat increases with size, e.g. with the number of staff employed or premises operated. At the same time, small enterprises are much less likely than large corporations to implement controls and other measures to reduce the impact of security threats. The opposing trends of threats and controls lead to the mixed picture in European enterprise overall, a picture which can hide real disadvantages faced by small organisations. For example, although the likelihood of employee negligence causing significant damage in any year is reported to be considerably lower in micro enterprises compared to larger organisations, the level of threat to micro organisations is very much smaller. It is estimated that damage could be reduced up to twenty-fold in cases such as these if means could be found to enable small organisations to counter the associated threats as effectively as larger organisations.
From a sector perspective, enterprises in the IT services sector report the greatest number of incidents causing significant damage, nearly three times as many as in the construction or food & beverages sectors. Whereas the rate of incidence in tourism is nearly as high as in IT services, other sectors are in mid field. The automotive industry is an interesting case, exhibiting very low levels of incidence of both hardware and software malfunction. It is probable that large manufacturers in the sector are being particularly effective at setting standards for hardware and software and ensuring that quality hardware/software solutions are introduced into and used throughout their supply chain. This would have the effect of improving the resilience of smaller enterprises in the sector to this kind of security threat, and it may well be that other sectors could learn lessons from the automotive industry. At the same time the sector was found to have a particularly high incidence of damage from spamming, and it appears that no sector can lay claim to universal best practice in avoiding damage from security-related threats.
The analysis of security controls and other measures applied by European enterprises to counter security threats shows that basic components such as firewalls and secure servers – for those enterprises requiring these – already exhibit high levels of penetration. Major deficits in security controls in European enterprise are evident in the low levels of reported application of data encryption, which is generally regarded as essential in distributed and mobile computing environments. The yet lower levels of deployment of public key infrastructure could represent an obstacle in the evolution of interoperable solutions for many e-business processes, particularly those with strong contractual content such as the transfer and agreement of large liabilities.
Given the importance of the human factor in breaches of security, the low proportion of enterprises reporting that they train their staff in security awareness, carry out risk assessment or, in particular, have put a security management system in place, should be a cause for concern among policy makers. Though the proportion of larger enterprises which have drafted disaster recovery plans and developed a security policy is over 70% (in each case), the picture is much bleaker among smaller businesses. Only 21% or 33% respectively of micro- and small enterprises report having an ICT security policy in place, despite strong consensus among security consultants and standards-setting bodies that such planning is essential in building a proper response to security threats.
The lower levels of control deployment found in smaller enterprises have a clear economic foundation. The ability to profitably deploy resources in combating security threats tends to be a function of the size of a business, particularly where in larger enterprises key ICT functions are centralised. These economies of scale can be clearly seen in the behaviour of enterprises in respect of the security controls included in the survey.
To simplify sectoral analysis, the underlying covariance structure was investigated and security controls and measures grouped along three principal factors: 'management and policy', 'secure components', and 'PKI (Public Key Infrastructure) and encryption'. The resulting picture by sector shows the clear dominance of enterprises in the IT services sector in the introduction of security controls in the areas of 'secure components' and 'management and policy'. Yet despite this leading position the incidence of damage is high for these enterprises, showing that the sector clearly faces some of the highest levels of threat. Fortunately, perhaps, enterprises in this sector can draw the know-how to select, implement and maintain secure systems from core business units, in contrast to other sectors.
The strongest contrast with the behaviour of enterprises in the IT services sector is given by companies in food and beverages, textile industries, tourism and construction. These latter sectors score lowest on all three factors. At the same time, these sectors are among those with the smallest average size, from which follows that they have a particularly large proportion of small and micro enterprises, whose behaviour dominates the statistics.
In total, about 5% of all firms from the 10 sectors and 7 countries surveyed in 2005 reported using ICT systems for electronically invoicing their customers. Similarly, about 5% reported using systems for billing invoices from suppliers electronically. Diffusion of e-invoicing activity may gain further momentum in the near future, as its benefits for firms of all sizes and from practically all sectors become more apparent, the main ones being cost savings and improved customer relationships.
In B2C markets, the highest initial potential is seen for firms that issue regular and similarly-structured invoices to a large number of customers. Such enterprises include telecommunications service providers, other utilities, insurance companies and publishers of newspapers and periodicals. Here, EBPP (Electronic Bill Presentment and Payment), i.e. the web based presentation of invoices and accounts to customers, will be the main platform. In B2B, electronic invoicing is tightly linked and integrated with ERP (Enterprise Resource Planning) systems and has a high potential particularly in sectors with deep supply chain integration and long-standing supplier-customer relationships. This applies, for example, to the automotive, the aerospace and parts of the chemical industry.
Regarding demand-side (consumer) trends, the credit card has become by far the most important payment method in B2C electronic commerce. Pago eTransaction Services, for example, reports that about 80% of electronic payments made via its platform were made by credit card. However, there are considerable variations in e-payment methods by sector, by country and depending on the amount to be paid. Analysis of chargeback rates in e-payments shows an interesting and alarming trend. About 37 out of every thousand transactions of over 500€ result in chargebacks, possibly due to fraud.
Some aspects of the structural variation in security threats and response to these exposed in this study calls for appropriate public policy measures. A key objective is to improve the cost-benefit equation for SMEs, perhaps by reducing the cost of controls through standardisation, encouraging market offerings or promoting inter-enterprise cooperation and the sharing of resources.
Current policy on ICT security in Europe continues to be somewhat fragmented, providing opportunities to improve security through coordination and exchange of best practice, including adopting best practice into EU policy instruments where appropriate. The recently founded European Network and Information Security Agency (ENISA) can be expected to contribute to security policy coordination in this respect. As sector developments have been shown to be quite divergent, benchmarking exercises or other models of exchange of best practice could also be profitably used to accelerate exchange between sectors, in parallel with exchange at national level.
The exchange of best practice is also recommended as an instrument to promote successful national and regional programmes in the area of e-invoicing. In many EU countries and regions, the public sector has launched initiatives in order to exploit the cost saving potential of e-invoicing. This calls for International monitoring and impact assessments of different policy approaches. Within the EU, the European Commission could instigate such measures; globally the role might be taken on by the UN or the OECD.
E-invoicing is considered to lead to a 'win-win' situation for both parties involved, i.e. the paying and the receiving entity. Public authorities could act as role model by introducing e-invoicing themselves, or they can promote and facilitate the adoption of related activities among enterprises by other means, e.g. through facilitating access by enterprises to information on best practice or increasing the transparency of the market by supporting system and service comparison.
