How to Minimize E-Commerce Risk

Top infosecurity pros offer 5 strategies for protecting corporate networks even as you link more closely with your business partners

Bruce Schneier sells services that protect corporate networks, but he isn't promising any miracles when it comes to the behavior of your business partners. "Do business with people you trust," says Schneier, founder and CTO at Counterpane Internet Security. "Don't do business with people you don't trust. It's no different than the world's been for centuries."

CSOs such as Steve Haydostian may find that chestnut a tad simplistic. He is chief information security officer at Health Net, a $10 billion managed health-care company. For Fortune 500 companies like Health Netand even for much smaller onesthe complexity of the global network and the pervasiveness of e-commerce has increased information security risks by orders of magnitude. And in the current lackluster economy, many money-saving business movesfrom outsourcing manufacturing to collaborative planningare making companies still more vulnerable. Michael Rasmussen, security analyst at Giga Information Group, sums it up elegantly: "Companies are scared their business partners are their liability, the doorway of compromise into their environment."

So for the security officer who has too many e-commerce partners to do business on a handshake-and-backslap basis, what can improve the security odds? CSOs interviewed for this article offer up a mélange of approaches toward securing e-commerce networks. Often, these strategies seem more like works in progress than steadfast plans. Yet many CSOs are cobbling together strategies that mix old infosecurity standbys (savvier use of outsourcing, a host of intrusion and virus detection software, tighter network management, improved policies, better employee training) with reliance on a growing crop of regulations and industry standards that add complexity but at least provide relief by enabling business partners to communicate using a common language.

Even when every preventive item on the IT list is checked, can a company still be certain that its partnerships are 100 percent bulletproof? No. But while CSOs can't eliminate all the risk from e-commerce, they can borrow ideas and best practices methods for protecting critical data. So where's a company to start?

1. Know Thy Relationships

First, understand what you manage by taking inventory, not only of your own network but also of your business connections and partnerships. This gets tricky for companies that have scores of subsidiaries or have gone through mergers and acquisitions. But doing so will create a baseline from which to measure progress, says Ted DeZabala, a principal in Deloitte & Touche's enterprise security services group who advises the Fortune 500 on security policy. A CSO who doesn't have this basic knowledge "won't be around for long," he says. Any network inventory should include a rock-solid list of outsiders who have access. Consider this blunder: In March, a government agency Rasmussen worked with discovered it still had a live connection to a banking partner it no longer did business with. "They weren't aware of it," he says. "They had a legacy connection that was never taken down." It sounds obvious, but businesses get caught unaware all the time. In fact, up to 20 percent of network routers are providing inappropriate access to corporate networks, systems, applications and data over the Internet, according to the Aberdeen Group.

Various tools and services can help speed up this inventory process. Dave Cullinane, CISO at Washington Mutual, a Seattle-based bank with 2,500 offices, mentions services provided by Lumeta as an example. Lumeta creates maps that help companies understand how their global network connects to their partners and to the Internet. Companies use the maps to identify previously unknown routes into the network or to see where users are making unauthorized connections. This kind of work doesn't come cheappricing for Lumeta's IPsonar service starts at $21,500 for a one-time scan and limited licensebut should be weighed against the potential cost of a breach. "Network mapping is essential," Cullinane says. "Ideally, it should show how to segment the networkso if an attack occurs in sector A, you can prevent it from spreading to the other sectors."

This inventory and mapping chore never really ends. Albert Oriol, privacy and data security officer at The Children's Hospital in Denver, is finding that a sound e-commerce security map is a work in progress. When Oriol started at the hospital in 2001, he first had some internal security gaps to close. Only after he and his team implemented redundant firewalls, invested in an intrusion detection system and deployed antivirus software to all servers, did Oriol start finding time to look outside his own network. Now, he's helping security officers from the hospital's five affiliates understand how patient data flows through the network and addressing issues such as standardizing remote access and e-mail encryption. Those needs don't sit still. "We're trying to get the things that need to flow through on the network, and the things that don't off it," he says. "We keep refining it. It's a never-ending process."

(Think the little guys are safe from e-commerce-induced vulnerabilities? Read the sidebar to this story, "Small Company, Big Trouble."

1 2 Page 1
Page 1 of 2
The 10 most powerful cybersecurity companies