Print this article | Return to Article | Return to CFO.com
It's almost impossible to figure ROI for information security investments. But as supply chains become more complex and business partners become more connected, IT security is increasingly the concern of the CFO.
Yasmin Ghahremani, CFO Asia
October 28, 2003
Philip Cummings worked at a help desk for a suburban New York software company, where his employers found him to be pleasant, reliable and a safe bet. One day three years ago, federal prosecutors say, Cummings decided it was time to help himself. The company he worked for, Teledata Communications, makes software that gives corporate customers access to data from three credit-reporting agencies.
US prosecutors allege that Cummings used Teledata's software, as well as user codes and passwords, to order credit histories. Some 13,000 of the reports were filched from a single credit bureau, Experian, and were billed to Teledata customer Ford Credit. In the end, an estimated 30,000 reports were stolen and sold to street criminals who used them to obtain credit cards and raid bank accounts. The result was the largest case of identity theft ever, with losses totaling at least US$10 million.
You don't need to tell Experian or Ford Credit just how dangerous business relationships can be when security breaks down. It's a lesson that CFOs would also do well to heed. In this ever-more connected world, business partners are taking over whole functions of each other's operations and peering into each other's computer networks. These relationships expose them to risks not only from each other, but from each other's partners.
It's nearly impossible to figure ROI for security investments. But consider this: a partner with ineffective security could enable perpetrators to launch an attack on your system, gaining access to your production schedules and pricing models or stealing customer data and exposing you to legal liability. "If their network is not secure then you are leaving your network open to intrusion," says Darren Cerasi, IT security consultant at Hill & Associates Risk Consultancy in Singapore. "Oftentimes, companies do not even know that their systems have been hacked."
Even if your system isn't breached, a virus could disable your supplier, leaving you in the lurch. Or a customer could leak your intellectual property to unauthorized sources. "I've known of a couple of aircraft manufacturers whose maintenance information gets into the hands of airlines that they are not formally supporting," says Harry Demaio, US-based author of B2B and Beyond: New Business Models Built on Trust and former board member of security training and certification organization ISC2. "That's a problem." The challenge in keeping B2B relationships fruitful is to make sure both sides are secure, and it's a task some Asian companies are taking to heart.
Technology is both a friend and a foe in this battle. On the one hand, security technologies have improved to the point that tools like firewalls and intrusion detection devices are nearly commodities. And expensive leased lines linking partners can now be replaced by dramatically cheaper virtual private networks (VPNs)—point-to-point Internet connections protected by encryption.
Chain of Ghouls
On the other hand, security tools still have to be monitored. And with more people connecting in new and different ways every day, that job has become more complex. "The fact that information can be stored in a number of intermediate locations that I don't know about makes it extremely difficult," says Demaio. "The fact that I can download a massive amount of information in virtually nothing flat or that I can do file sharing ala MP3 without anyone acting as a control center, those all work more against security than they do in favor of it."
At the same time, hackers and bug-makers are getting smarter and more prolific. According to a report from US-based Internet Security Systems, the number of computer security incidents detected at businesses worldwide rose 84 percent between the fourth quarter of 2002 and the first quarter of this year, fueled in part by a surge in the number of mass-mailing worms. Run-of-the-mill viruses are also being replaced by so-called blended threats.
"A blended threat might come in via a web download, then access your address book and start sending itself out," says David Sykes, director of northern Asian operations for security solutions vendor Symantec. "It uses multiple ways of getting in and multiple ways of spreading itself. So both your firewall and your anti-virus programs have got to be up-to-date."
The result is, organizations—including most likely your own and your partners'—are still experiencing security breaches. "We've had all kinds," says Zoltan Peter Szabo, CIO of Hong Kong-based distribution and logistics company Edward Keller, "from simple attacks on web servers, to internal issues, to email viruses." Edward Keller typically has 50 to 60 attempted attacks a day, which is not unusual for a large company. International Data Corp (IDC) says 72 percent of the Asian enterprises it surveyed this year have experienced an Internet security breach, and 39 percent feel the volume of security threats has increased during the last year.
That doesn't mean every system that's breached is seriously compromised. Sykes reckons around 90 percent of attempted attacks on organizations are "just noise". They're either known viruses that are easily intercepted, or they're intrusions from so-called "script kiddies" using port-scanning tools to look for open computer ports. But 10 percent of the attempted attacks are serious and targeted at particular companies.
The first step in repelling them and creating a secure B2B relationship is ensuring your own house is in order. Often that starts with a risk assessment. "Before even entering into an e-commerce venture companies should check that their networks are safe from intrusion," says Hill & Associates' Cerasi. "There are a number of service providers that offer varying IT reviews, from the basic check to an in-depth ISO 17799 certification." ISO 17799 is an internationally recognized generic information security standard.
These days an assessment should examine rules and procedures as well as technology. That's because security breaches often have more to do with humans than with machines. Intrusion detection systems can't keep out thieves who obtain passwords from employees over the phone while posing as members of the IT staff. "Security technology is very mature right now," says Uantchern Loh, a partner in Ernst & Young's security risk services practice in Singapore. "It's how you use and manage security that's the weakest link."
A good security policy helps address security management, and it's one of the first things many larger customers will want to see before they link up electronically with a supplier. A policy identifies what information you have where, and how you want to protect it. It sets out procedures that can help prevent some of the most common security failures, including the handing out of passwords to telephone callers. It should also define who gets access to various systems and databases, and how that access is controlled. Experts say top managers should be involved in policy formulation because they need to define the business objectives—and to keep gizmo-happy IT staff in line.
"After a while you realize some of the stuff the tech guys recommend is nice to have," says Loh, "but maybe it's too sophisticated for users, maybe it's too expensive if the ROI isn't there, or maybe the timing's just not right."
One of the most basic areas of security concern is email. Email is often the entry point for viruses. Symantec had one client, a plastics manufacturer in Taiwan, that was running its production line on the same network as its email. "It would not have been a big jump for a virus to come in via an email attachment and bring down the whole automated production line," says Sykes.
The other risk with email is that disgruntled or even merely careless employees can leak sensitive information. In fact, a departing staff member at Taiwan Semiconductor Manufacturing (TSMC) did just that a few years ago, though the company won't say what type of information the employee divulged. Suspicious colleagues alerted management that something fishy might be going on, and because TSMC makes a policy of storing all sent and received emails, the employee was caught and eventually sued.
After that, the company began encrypting sensitive documents with a product called Authentica. Protected documents can be read internally, using a key stored on the TSMC server. But if they're sent out, the key cannot be accessed and they will be unreadable. TSMC also beefed up its email system with an option that allows users to encrypt outgoing emails with the click of a button.
In light of experiences like TSMC's some experts recommend background checks on employees and on suppliers' staff. "If they work in a not-so-sensitive area, it's not necessary," says Ernst & Young's Loh. "But those who access pricing information or customer information should be subject to background checks." Risk and technology officers at Singapore-based shipping giant APL agree.
As part of the company's commitment to a new global security initiative called CTPAT (Customs Trade Partnership Against Terrorism), it conducts background checks on some of its employees and expects the same of its partners. "We wouldn't do background checks on our suppliers' people but we would require them to do checks on people in certain positions if they're doing business with us," says CIO Cindy Stoddard.
Another issue to be addressed for secure B2B relationships is how to keep your e-commerce systems safe from outside intrusions. Chartered Semiconductor Manufacturing employs an approach called defense in depth for its online supply-chain collaboration system. "Defense in depth is a concept borrowed from the military, in which the protection of assets does not rely on any one barrier," says Bret Watson, Chartered's head of IT Security. "If one defense is broken, there are always more behind it. Each layer consists of a deterrent, a detection system, a delay and some means to respond to the detection." An intruder would have to get through at least five layers of defense—including multiple firewalls —to get to Chartered's critical e-business server. The farthest anyone's gotten so far is through the first layer, at which point they were cut off.
A bigger risk for B2B partners than hackers, however, is other members of the supply chain. You need to make sure they don't access data that they're not supposed to see. "It all comes down to protecting information," says Nathan Midler, senior analyst at IDC. "Companies need solutions that allow access to the right people, but protect information they do not want made available to customers or, even more difficult, do not want made available to certain customers."
For an organization like Clearing and Payment Services (CAPS) that sort of data separation is critical. CAPS is a company set up by Singapore's three biggest banks—the Development Bank of Singapore, the Overseas Chinese Banking Corporation and United Overseas Bank—to provide Continuous Linked Settlement (CLS). CLS is a real-time foreign currency trading settlement system that eliminates the exchange risks banks normally assume by working in different time zones. By teaming up, the Singapore banks can share the costs of using CLS. But that's where the cooperation ends.
The banks are still competitors, and they aren't about to start sharing the kind of information that's coming in and out of CAPS. So CAPS must ensure that data flow for each bank goes only to that bank. Because the stakes are so high, CAPS has eschewed even VPN technology for transmitting transactional data. Instead it uses dedicated secure leased lines between itself and its three shareholders. All transactional data is encrypted using public-key infrastructure technology, which is one of the toughest forms of encryption available. And management has instituted stringent policies and procedures, including access control provisions that apply to staff of CAPS and its customer banks. "The key factor in determining the components of the CAPS security policy," says Denis Malone, head of CAPS' IT and operations, "was the need to ensure strict levels of confidentiality around our customers' data, together with the secure and reliable processing of the customers' data."
TSMC is no stranger to the need for airtight controls on customer data either. Clients trust the chipmaker with not only commercial information, but also proprietary designs. That information is accessible through TSMC's suite of web-based collaboration and transactional applications, which make interactions infinitely more convenient than they were in the days of faxes and phone calls. But those applications are also open to abuse if not carefully monitored. Therefore, TSMC restricts access to information on a strict need-to-know basis, both within the company and within its suppliers' and customers' organizations.
"We segment our content into various categories, such as design data, technical files, logistics data, pricing and shipping," says CIO Quincy Lin. "With every customer we develop a matrix and, working with the foundry director, we discuss which people should be allowed or disallowed in each category." So a customer's engineers might have access to design data but not pricing, and its sales people might be able to see inventory information but not designs. TSMC also tells partners that an employee's access must be revoked when he or she leaves the company. "That's protecting their data and ours," says Lin.
Indeed, getting a partner to meet your security requirements is the other half of the equation for safe B2B relationships. Visa is a master at it. Three years ago the credit card company instituted a set of standards called the Account Information Security (AIS) Program. It lists 15 security requirements for every merchant that accepts Visa credit cards. They include restricting access to Visa account and transaction data on a need-to-know basis, installing a firewall if data can be internet accessed, tracking access to data, encrypting data sent across networks and regularly testing systems and procedures. Smaller mom-and-pop shops can use an online validation tool to assess whether they are compliant, whereas larger merchants must go through extensive third-party audits. The banks that process Visa payments for the merchants are responsible for validating merchant compliance. If a merchant doesn't fix a problem within a given remediation period, Visa may fine the bank.
And if that's still not enough to get the problem solved? "Ultimately, merchants must meet AIS Program standards to continue accepting Visa payment products," says Edward Lodens, regional manager of e-commerce risk for Visa Asia Pacific. "It is simply a matter of good business."
US wireless provider Motorola, which handles nearly all of its procurement electronically, is nearly as demanding. Every supplier linked to Motorola's procurement system must sign a non-disclosure agreement and manage its systems to Motorola's expectations—including demonstrating that its anti-virus software is up-to-date and that it has installed personal firewalls on each computer that's connecting. "We share our policies and company standards and guidelines with our vendors," says Steven See, Asia Pacific director of Motorola Information Protection Services. "Likewise, we expect them to adhere to these security standards and policies." Suppliers with problems complying can be reviewed by an external panel of security organizations and vendors, which will assess their risks and advise them on what remediation efforts are needed.
But the bottom line is, Motorola, like Visa, won't do business with suppliers that can't get their acts up to snuff.
The situation is often more complicated when it comes to customers. Edward Keller uses VPN connections to allow its larger logistics and distribution customers to link up with its inventory tracking system. But small local operations often don't have the technological sophistication to do that. In those cases, Edward Keller tends to restrict access—or not allow any at all. "But it's hard because people are more and more hungry for information," says Szabo. "It's not enough to just get their products from point A to B any more. They want information services." Chartered Semiconductor tends to soft-pedal its security requirements for customers. "There are times when we have to negotiate something, rather than demand it, from a customer," says Watson.
In the end, building secure B2B relationships comes down to using common sense to get the most assurance you can from your partners. Security is an ongoing, dynamic challenge that needs to be approached with some flexibility. Demaio says the key thing to remember is that, no matter what equipment or procedures are used, security efforts should be reciprocal in nature and demonstrable. "You're not establishing security; you're establishing trust," he says. And that, after all, is what building relationships is all about.
Yasmin Ghahremani is a contributing editor at CFO Asia.
Are You Certifiable?
There's not much room for error on the security front if you're running an application service provider. V Mathivanan, CEO of Singapore-based ASP CrimsonLogic, likens it to running a bank, only instead of storing millions of dollars the company stores millions of dollars worth of data. "Would you put your money in a bank without proper security?" he asks. "We have to make sure we have processes in place that make people feel comfortable."
A couple of years ago, he decided the best way to do that was to get certified under the British Standard code BS 7799. Drafted in 1995, the standard was originally intended as a security framework for the then-nascent e-commerce industry. It was later revised to become more general and adaptable by almost any organization. Part one of BS 7799 defines best practices for security management, and part two—the part that's certifiable—outlines how to create an information security management system. The International Organization for Standardization (ISO) has come up with an equivalent standard called ISO 17799.
Both of the standards identify ten domains for security management, such as security policy, personnel security, physical security, systems development and maintenance, and business continuity management. These break down into 127 control points. "The security problem is a very complicated one," says Chuang Shyne Song, general manager of RadianTrust, the security consultancy that worked with CrimsonLogic on the accreditation process. "BS 7799 tries to break this problem into different parts and structure it so it's easier to manage."
Still, the process of getting certified is not an easy one. It starts with an internal review of procedures, and eventually includes several audits by an outside authority. Once a company is certified, auditors conduct reviews every six months and can at any time do spot checks that include random interviews with personnel. That means every member of the staff must understand the company's security policy.
While CrimsonLogic has always had what it considers a strong security policy, the accreditation process revealed several areas where there was room for improvement. For instance, the company uses closed-circuit television cameras to monitor critical areas of its operations, but auditors pointed out that the recorder wasn't secured. Someone could tamper with the tapes while they were recording. So the recorder is now kept in a locked metal box, and staff must sign out keys to open it.
In all, CrimsonLogic spent US$285,000 on the year-long certification process, an expense Mathivanan considers well worth while. In the long run he thinks the measures taken will save money and prevent security breaches that would undoubtedly cost the company business. "The loss of credibility is a high cost to pay," he says.
Experts point out that while BS 7799 and ISO 17799 constitute a good framework on which to carry out security, a certificate isn't a substitute for ongoing diligence. "I despair of the idea of someone saying I'll look at every letter of ISO 17799, tick off whether I'm compliant, and walk out the door feeling that I'm secure," says US-based security guru Harry Demaio. "A standard of that sort can't do that. It's too generic."
Mathivanan agrees. But he considers BS 7799 a good starting place. And as an internationally recognized stamp of approval, it helps reassure clients that the company takes security seriously. "This is something to tell customers, something that shows the pain and trouble we go to to keep their data secure," he says. —Y.G.