Print this article | Return to Article | Return to CFO.com
A third of organizations responding to a recent survey said business partners had caused a security incident in the past year.
John P. Mello Jr., CFO.com | US
October 16, 2006
It's hard for any company to do business these days without partners. Even vendors are routinely described as partners. But for the people within your company responsible for your network and computer systems, partners are more aptly described as a giant security headache.
According to a recent survey released by Cybertrust, a global information security services firm based in Herndon, Va., nearly 75 percent of the respondents — which included a range of managers and professionals in the IT, security and business fields — felt their business partners increased the level of information security risk to their organizations.
"Though we expected IT and security professionals to have a much higher perception of risk," the surveyors confess, "results imply a fairly consistent sentiment of concern at all organizational levels."
When asked to name the most worrisome risks stemming from business partnerships, the survey sample cited network intrusions (68 percent), data theft (64 percent), virus infections (49 percent) and fraud (43 percent).
They also noted that 32 percent of the organizations in the study reported a security incident involving a business partner in the last year.
"There's often a gap in information security between what people perceive as a risk and what really is a risk," observes Cybertrust senior vice president for marketing Jim Ivers. "So the fact that there's a one-in-three chance that a partner can generate a problem for you is a pretty significant figure."
The surveyors also discovered that 13 percent of the respondents reported terminating a relationship with a partner because of information security concerns.
"I was a bit taken back by how many people actually terminated a relationship, that this could be deemed serious enough that it could be deemed a barrier to doing business," Ivers admits.
"We're reaching a point where if you're competing to partner with a company and your product isn't that well differentiated, your ability to be a secure partner may be the diffentiator that gets you more business," he adds.
Not surprisingly, the study revealed a correlation between security incidents and best practices, as well as between incidents and management support of security efforts. Of the organizations that described their partner-related security practices as non-existent, 82 percent reported a security incident. Of those that termed their practices poor, 57 percent reported incidents.
Almost half the participants in the survey believe their organization's management gives information security little to no priority when making decisions related to business partners.
Of companies that gave partner-related security a low priority, the surveyors disclosed, 60 percent suffered a security incident. Of those that gave it a high priority, about 20 percent experienced an incident.
The security challenges created by the extended enterprise are part of a larger problem facing business computer networks, according to Vlad Gorelik, CTO of Sana Security in San Mateo, Calif.
"It's a subset of the issue of a very porous network perimeter around corporations," he says. "The notion that you can have a secure wall around your business where everything inside the wall is safe has been eroding for quite a while. Partners are one aspect of that."
The historic trend for companies has been to put up firewalls and just keep people out, explains Matthew Gardiner, a product marketing manager with Computer Associates, a computer services company based in Islandia, N.Y.
"But the realities of business partners and consumer Internet access to applications and all that has made the perimeter approach unviable," he observes. "You have to let people in and out of your system."
While it's hard to manage something that's not under your control — like your partners' behaviors — Gardiner maintains that it by no means leaves a company off the hook for securing its data.
"You can outsource business functions, but you can't outsource responsibility," he declares. "If someone handles your data, what they do with it ultimately reflects on you."