Businesses today are becoming ever more interconnected, whether it be with suppliers, partners, franchises or data auditing systems, writes Chris van Niekerk, regional director: Africa at McAfee.
The commercial benefits of a web of collaborative partnerships are often clear to see: shared resources, the potential expansion of markets, increased speed to those markets and the realisation of cost efficiencies.
Yet companies rarely consider the impact of partnerships from a security perspective, despite the fact they are often the weakest, and most damaging, link.
Successful business partnerships are, by their very nature, based on a high level of trust and cooperation. In order to be effective, partners are commonly required to integrate IT systems to allow for smarter, faster data sharing – often even involving the release of confidential financial, strategic or operational data.
But while opening up a company network and database may help enable, and speed up, efficient business process, it also puts companies at unmitigated risk from security practices over which they have little control.
Indeed, a recent report from Gartner highlights that businesses which have moved towards collaborative IT systems should rethink their existing “trust mechanisms” for their partners, so that they are cautious when opening up their previously closed networks to external sources such as suppliers, customers and competitors Gartner; April 2007; “Collaboration Comes of Age report”.
And with the threat environment ever-evolving, it’s never been more important for businesses to think beyond their own “walled” security strategy and assess the security savoir-faire of their associates rather han simply taking a leap of faith.
New partnerships bring new risks and it is crucial that businesses are ether fully joined up in their security strategies or at least have taken serious steps to mitigate the risks. They need to both protect themselves against the threat of any attacks that their partners might expose them to as well as ensure that they themselves aren’t leaking attacks to their associates.
An example of partner security in action comes in the case of CardSystems Solutions, a third party processor which handled payments on behalf of credit card companies.
In 2005, it was hit by hacker attacks that exploited security vulnerabilities in the CardSystems network to infiltrate and access information on more than 40-million credit cards, the vast majority of which were Visa and Mastercard-branded.
Both companies immediately ended their contracts with CardSystems, reinforcing the very real risks that supply chain partners can impose both directly on an organisation’s business as well as indirectly to a company’s reputation.
Additionally, many – especially smaller – companies rely on third party systems in order to conduct their business. This dependency means that firms are unable to build redundancy in around it so, if the IT system of the partner fails, they are reliant on the third party disaster planning.
This can be crippling and costly to both current and future customer relationships.
Just as Marks & Spencer (M&S) in the UK recently launched a supply-chain-wide environmental sustainability strategy to establish itself as the UK's leading “green retailer”, so to do should business agree security standards for their partners.
When managing their business relationships, companies need to achieve a fine balance between ensuring the necessary level of security whilst not jeopardising their ability to do business.
In order to minimise the risks of introducing new partners to their organisation, security definitions should be clarified from the outset. For starters, businesses should ask themselves the following key questions:
* What do I need to give this partner access to and why?
* Have I conducted a risk analysis of the partner business?
* Does this partner meet regulatory and compliance standards?
* How will I measure partner security?
* If I have to share confidential information, have I set up the necessary access controls?
* Does this partner have a disaster plan in place that will minimise the risk to my business?
Ultimately, businesses should always seek to devise a systematic framework which allows them to assess security risks, implement controls and manage specific threats. Organisations need to select suitable IT systems and implement partner-wide policies for access control, to create as secure and manageable an infrastructure for the extended enterprise.
This has never been more important than now as businesses are being forced to become more transparent due to the growing need for compliance. For instance, the Market in Financials Instruments Directive (MiFID) and Single European Payments Area (SEPA) aim to create a single European market for financial services.
This requires investment firms to implement a number of changes in how they operate, including keeping detailed information on trades they have made for up to five years. Financial institutions also need to show that they have the necessary systems in place to ensure that any sensitive data they are holding has not been compromised – failure to do so could leave organisations exposed to lawsuits.
However, as firms scramble to adhere to the directive, they are at risk of failing to recognise the strategic importance behind sound security checks for partners. This imposed new level of trust and responsibility between financial institutions to ensure a more unified trading practice is almost by default opening them up to potential security issues.
And, according to PJ Di Giammarino, chief executive at consultancy JWG-IT, ambiguities in the directive mean that organisations are leaving decisions on IT security to business analysts, who are less aware of the need to maintain data integrity.
So, while business environments continue to expand, not using modern technology links can put businesses at a genuine disadvantage. Yet simultaneously, these partnerships and integrated processes bring with them new threats. In order to balance risk against reward, every company needs to strategically assess the security implications of opening up its IT and information network to other businesses and realise that they are “only as secure as their weakest link”.