VideoPhilip Cummings worked at a help desk for a suburban New York software company, where his employers found him to be pleasant, reliable and a safe bet. One day three years ago, federal prosecutors say, Cummings decided it was time to help himself. The company he worked for, Teledata Communications, makes software that gives corporate customers access to data from three credit-reporting agencies.
US prosecutors allege that Cummings used Teledata's software, as well as user codes and passwords, to order credit histories. Some 13,000 of the reports were filched from a single credit bureau, Experian, and were billed to Teledata customer Ford Credit. In the end, an estimated 30,000 reports were stolen and sold to street criminals who used them to obtain credit cards and raid bank accounts. The result was the largest case of identity theft ever, with losses totaling at least US$10 million.
You don't need to tell Experian or Ford Credit just how dangerous business relationships can be when security breaks down. It's a lesson that CFOs would also do well to heed. In this ever-more connected world, business partners are taking over whole functions of each other's operations and peering into each other's computer networks. These relationships expose them to risks not only from each other, but from each other's partners.
It's nearly impossible to figure ROI for security investments. But consider this: a partner with ineffective security could enable perpetrators to launch an attack on your system, gaining access to your production schedules and pricing models or stealing customer data and exposing you to legal liability. "If their network is not secure then you are leaving your network open to intrusion," says Darren Cerasi, IT security consultant at Hill & Associates Risk Consultancy in Singapore. "Oftentimes, companies do not even know that their systems have been hacked."
Even if your system isn't breached, a virus could disable your supplier, leaving you in the lurch. Or a customer could leak your intellectual property to unauthorized sources. "I've known of a couple of aircraft manufacturers whose maintenance information gets into the hands of airlines that they are not formally supporting," says Harry Demaio, US-based author of B2B and Beyond: New Business Models Built on Trust and former board member of security training and certification organization ISC2. "That's a problem." The challenge in keeping B2B relationships fruitful is to make sure both sides are secure, and it's a task some Asian companies are taking to heart.
Technology is both a friend and a foe in this battle. On the one hand, security technologies have improved to the point that tools like firewalls and intrusion detection devices are nearly commodities. And expensive leased lines linking partners can now be replaced by dramatically cheaper virtual private networks (VPNs)—point-to-point Internet connections protected by encryption.
Chain of Ghouls
On the other hand, security tools still have to be monitored. And with more people connecting in new and different ways every day, that job has become more complex. "The fact that information can be stored in a number of intermediate locations that I don't know about makes it extremely difficult," says Demaio. "The fact that I can download a massive amount of information in virtually nothing flat or that I can do file sharing ala MP3 without anyone acting as a control center, those all work more against security than they do in favor of it."
At the same time, hackers and bug-makers are getting smarter and more prolific. According to a report from US-based Internet Security Systems, the number of computer security incidents detected at businesses worldwide rose 84 percent between the fourth quarter of 2002 and the first quarter of this year, fueled in part by a surge in the number of mass-mailing worms. Run-of-the-mill viruses are also being replaced by so-called blended threats.
"A blended threat might come in via a web download, then access your address book and start sending itself out," says David Sykes, director of northern Asian operations for security solutions vendor Symantec. "It uses multiple ways of getting in and multiple ways of spreading itself. So both your firewall and your anti-virus programs have got to be up-to-date."
The result is, organizations—including most likely your own and your partners'—are still experiencing security breaches. "We've had all kinds," says Zoltan Peter Szabo, CIO of Hong Kong-based distribution and logistics company Edward Keller, "from simple attacks on web servers, to internal issues, to email viruses." Edward Keller typically has 50 to 60 attempted attacks a day, which is not unusual for a large company. International Data Corp (IDC) says 72 percent of the Asian enterprises it surveyed this year have experienced an Internet security breach, and 39 percent feel the volume of security threats has increased during the last year.
That doesn't mean every system that's breached is seriously compromised. Sykes reckons around 90 percent of attempted attacks on organizations are "just noise". They're either known viruses that are easily intercepted, or they're intrusions from so-called "script kiddies" using port-scanning tools to look for open computer ports. But 10 percent of the attempted attacks are serious and targeted at particular companies.
Reader Comments» Post a comment