Industry View

Don't Mind Your Own Business

Your information security may be great, but what about all the other players in your extended enterprise?

By Kerry Bailey

Page 2

The frustration apparent in this comment is not unique to a sole, disenchanted participant. Rather, it is the norm. The fact is, information security is no longer a predominantly intra-organizational problem; it is now very much an inter-organizational problem.

Surprisingly, while survey respondents overwhelmingly agreed with the need to monitor the security of their business partners, fewer than half actually assessed partner security. The study demonstrated, however, that organizations that did conduct business partner security assessments experienced a more than three-fold reduction in the likelihood of security incidents.

When asked if their organizations had suffered a security incident involving business partners within the previous year, 32 percent of respondents reported at least one type of incident, with an additional 12 percent unsure. Of those organizations reporting incidents, malicious code was the most prevalent, with 43 percent of respondents reporting infections. This was followed by unauthorized network access (27 percent), denial of service (9 percent), system abuse or misuse (8 percent), data theft (7 percent) and fraud (6 percent).

The survey also showed that while a good business partner is indeed a valuable asset, they are also unfortunately a rare find. According to 72 percent of respondents in the study, secure business partners are in short supply.

So while the 21st century connected organization stands to increase business productivity and competitiveness, it also increases the risk of security incidents. It is evident that they can no longer get by with inward-facing information security practices and policies alone, yet while there is recognition that they need to monitor and assess their partners' security practices, they are slow to implement the practices that will reduce their own security risks as they continue to engage with outside organizations.

However, some positive trends are also evident and they present a clear framework for organizations that need to take the first step towards a partner security program.

First and foremost, partner assessments do in fact result in decreased security incidents: The Cybertrust study demonstrated that organizations conducting business partner security assessments experience a more than three-fold reduction in the likelihood of security incidents. That statistic alone makes the case for implementing partner security assessments part of an organization's own security practices.

Most importantly, information security needs to be truly a management-level decision, particularly as traditional strategic decisions, like choosing business partners, increasingly involve security ramifications. The survey revealed that when management sets a high priority on information security relating to business partnerships, security incidents are half as likely to occur.