Gremlin in the Works

It's almost impossible to figure ROI for information security investments. But as supply chains become more complex and business partners become more connected, IT security is increasingly the concern of the CFO.

Philip Cummings worked at a help desk for a suburban New York software company, where his employers found him to be pleasant, reliable and a safe bet. One day three years ago, federal prosecutors say, Cummings decided it was time to help himself. The company he worked for, Teledata Communications, makes software that gives corporate customers access to data from three credit-reporting agencies.

US prosecutors allege that Cummings used Teledata’s software, as well as user codes and passwords, to order credit histories. Some 13,000 of the reports were filched from a single credit bureau, Experian, and were billed to Teledata customer Ford Credit. In the end, an estimated 30,000 reports were stolen and sold to street criminals who used them to obtain credit cards and raid bank accounts. The result was the largest case of identity theft ever, with losses totaling at least US$10 million.

You don’t need to tell Experian or Ford Credit just how dangerous business relationships can be when security breaks down. It’s a lesson that CFOs would also do well to heed. In this ever-more connected world, business partners are taking over whole functions of each other’s operations and peering into each other’s computer networks. These relationships expose them to risks not only from each other, but from each other’s partners.

It’s nearly impossible to figure ROI for security investments. But consider this: a partner with ineffective security could enable perpetrators to launch an attack on your system, gaining access to your production schedules and pricing models or stealing customer data and exposing you to legal liability. “If their network is not secure then you are leaving your network open to intrusion,” says Darren Cerasi, IT security consultant at Hill & Associates Risk Consultancy in Singapore. “Oftentimes, companies do not even know that their systems have been hacked.”

Even if your system isn’t breached, a virus could disable your supplier, leaving you in the lurch. Or a customer could leak your intellectual property to unauthorized sources. “I’ve known of a couple of aircraft manufacturers whose maintenance information gets into the hands of airlines that they are not formally supporting,” says Harry Demaio, US-based author of B2B and Beyond: New Business Models Built on Trust and former board member of security training and certification organization ISC2. “That’s a problem.” The challenge in keeping B2B relationships fruitful is to make sure both sides are secure, and it’s a task some Asian companies are taking to heart.

Technology is both a friend and a foe in this battle. On the one hand, security technologies have improved to the point that tools like firewalls and intrusion detection devices are nearly commodities. And expensive leased lines linking partners can now be replaced by dramatically cheaper virtual private networks (VPNs)—point-to-point Internet connections protected by encryption.

Chain of Ghouls

On the other hand, security tools still have to be monitored. And with more people connecting in new and different ways every day, that job has become more complex. “The fact that information can be stored in a number of intermediate locations that I don’t know about makes it extremely difficult,” says Demaio. “The fact that I can download a massive amount of information in virtually nothing flat or that I can do file sharing ala MP3 without anyone acting as a control center, those all work more against security than they do in favor of it.”

Discuss

Your email address will not be published. Required fields are marked *