How to Minimize E-Commerce Risk

Top infosecurity pros offer 5 strategies for protecting corporate networks even as you link more closely with your business partners

July 01, 2003 — CSO — Bruce Schneier sells services that protect corporate networks, but he isn't promising any miracles when it comes to the behavior of your business partners. "Do business with people you trust," says Schneier, founder and CTO at Counterpane Internet Security. "Don't do business with people you don't trust. It's no different than the world's been for centuries."

CSOs such as Steve Haydostian may find that chestnut a tad simplistic. He is chief information security officer at Health Net, a $10 billion managed health-care company. For Fortune 500 companies like Health Netand even for much smaller onesthe complexity of the global network and the pervasiveness of e-commerce has increased information security risks by orders of magnitude. And in the current lackluster economy, many money-saving business movesfrom outsourcing manufacturing to collaborative planningare making companies still more vulnerable. Michael Rasmussen, security analyst at Giga Information Group, sums it up elegantly: "Companies are scared their business partners are their liability, the doorway of compromise into their environment."

So for the security officer who has too many e-commerce partners to do business on a handshake-and-backslap basis, what can improve the security odds? CSOs interviewed for this article offer up a mélange of approaches toward securing e-commerce networks. Often, these strategies seem more like works in progress than steadfast plans. Yet many CSOs are cobbling together strategies that mix old infosecurity standbys (savvier use of outsourcing, a host of intrusion and virus detection software, tighter network management, improved policies, better employee training) with reliance on a growing crop of regulations and industry standards that add complexity but at least provide relief by enabling business partners to communicate using a common language.

Even when every preventive item on the IT list is checked, can a company still be certain that its partnerships are 100 percent bulletproof? No. But while CSOs can't eliminate all the risk from e-commerce, they can borrow ideas and best practices methods for protecting critical data. So where's a company to start?

1. Know Thy Relationships

First, understand what you manage by taking inventory, not only of your own network but also of your business connections and partnerships. This gets tricky for companies that have scores of subsidiaries or have gone through mergers and acquisitions. But doing so will create a baseline from which to measure progress, says Ted DeZabala, a principal in Deloitte & Touche's enterprise security services group who advises the Fortune 500 on security policy. A CSO who doesn't have this basic knowledge "won't be around for long," he says. Any network inventory should include a rock-solid list of outsiders who have access. Consider this blunder: In March, a government agency Rasmussen worked with discovered it still had a live connection to a banking partner it no longer did business with. "They weren't aware of it," he says. "They had a legacy connection that was never taken down." It sounds obvious, but businesses get caught unaware all the time. In fact, up to 20 percent of network routers are providing inappropriate access to corporate networks, systems, applications and data over the Internet, according to the Aberdeen Group.