Open Market, Security Lockdown

[From iSource Business, June 2001] Forget the annual report. A better way to see where a company is headed is a surreptitious look at its legal bills. Is it planning on going public? Is it merging with another firm or forming a joint venture? Is it bracing for a possible class action suit? Is it about to patent a revolutionary new product design? Gaining access to this information may violate any number of legal statutes, but it's pure gold to a competitor, not to mention shareholders or the media if you are big enough and public enough, like the United Parcel Service.

So when UPS decided to invest in a system that would automate, aggregate and analyze the information in the invoices that are sent from the 50 or so global law firms handling its affairs, executives placed security high on the list of selection criteria. We would have really been fools if we went with a solution that wasn't secure, says Jim Katsafanas, UPS' document exchange product manager.

Another Risk?

The number and types of risks a company must deal with these days just keeps growing and growing: being undersold by a startup dot-com that came out of nowhere. Hacker attacks by bored, mischievous 15-year-olds. Public relations fiascoes that spread across the country within hours via e-mail. Volatile and fluctuating financial markets, and, now, B2B security concerns.

Information, or data, security has always been an issue for companies, but it has become especially important over the last 10 years, as corporate espionage has gained a higher level of sophistication. But now, as companies increasingly automate supply chain operations, from research and development to procurement to manufacturing, many would argue that sensitive and competitive information is at an even greater risk than before. A lot of these exchanges and integrated supply chain systems are protected only with rudimentary authentication technologies, says Matthew Kovar, program manager for e-Networks and Broadband Access at the Boston-based Yankee Group.

Legal protections are also rudimentary, in many cases. Inappropriate data sharing in some e-marketplaces is a real concern among many companies, and there is little case law in place to protect or even guide participants.

There are other concerns as well, such as unresolved questions about who owns what information and who can sell it. There is hardly an e-marketplace these days successful enough to ignore one of its biggest profit sources -- the aggregation and sale of market data gleaned from its Web site. And, while consumers have some measure of protection, however limited that may be, businesses do not. Under U.S. law, businesses themselves do not have a right of privacy in their data, says Bart Lazar, partner in the high-tech group of the Chicago-based law firm, Seyfarth Shaw. Unless there is a confidentiality agreement in place, by doing business with an exchange the company is giving the exchange the right to use its information. And often these privacy statements merely require participants to keep other members' information private, but don't restrict the marketplace itself.

For their part, companies are well aware of the risks. In one recent Forrester Research survey, 53 percent of companies contacted said they worried about security in e-marketplaces and 48 percent worried about privacy and abuse of market information. Paradoxically, however, few companies take more than the basic precautions. The level of urgency is not there yet, says Mike Rothman, executive vice president of SHYM Technologies, a Nedham, Mass.-based Internet security company.

This is not to say companies should completely shun the benefits of automating and integrating a supply chain operation -- a stance that, these days, would be akin to embracing the views of the Flat Earth Society. However, there are a few myths about security that should be debunked before a company launches into such a project, or at least before it suffers a serious loss due to lax standards and procedures. As Rothman says, We have all seen the cycle before. People don't develop a sense of urgency about these things until someone else becomes road kill.

Myth 1: It's Not That Risky Out There

Well, this one isn't really a myth -- it's more of an unproven hypothesis. The truth is, no one knows for sure how risky e-commerce is, with one group asserting that the problem is underreported and underestimated and another faction claiming that the much-touted security risks are largely hype perpetrated by providers of security services. For once, statistics don't shed much light on the problem, as oftentimes they are contradictory. Most analysts agree that if there is a problem, it will be underreported because there is no marketplace exchange or company that would willingly publicize that its security has been breached. I am sure we don't know more than 5 percent of what is really happening out there, says Yankee Group's Kovar.

For his part, UPS' Katsafanas is firmly on the side of the believers. There are absolutely dangers out there, he says. To think this is overhype is an irresponsible attitude to take. Statistics may be low or incomplete, he says, but it is a difficult type of loss to measure. If people are stealing your data you don't necessarily know it.

UPS eventually chose, a Houston-based e-business provider of security software that facilitates the secure exchange of information between trading partners and applications, to protect its legal communications as it tracked and analyzed the spend in this particular area.

Now, Katsafanas says, when one of our law firms wants to move files from their point of business to ours electronically, we know when it left and when it arrived. Digital certificates, which are issued by DataCert itself, control who has access to what information. UPS has since rebranded the DataCert product and is marketing it under the UPS Document Exchange Invoices.

Other analysts tend to minimize security concerns. Security is a fear, but in some cases it has been overrated as a real threat, says Rob Burt, partner in PricewaterhouseCoopers' automotive practice. Indeed, some go so far as to argue that trade secrets are safer online than they are in a paper-based world because their paths are easier to track. The same can't always be said about a briefcase that is full of documents.

Myth 2: It's Only Paperclips. Who Cares If Someone Sees My Purchasing Information?

As Director of Molecular and Cellular Biology at Texas Biotechnology Corp., Larry Denner is in charge of expanding the company's drug discovery capabilities. e-Commerce finally made an appearance in his highly specialized and sophisticated neck of the woods when was launched, a B2B site dedicated to the pharmaceutical industry that has taken great pains to ensure security for its users, since privacy is a very important issue for the drug industry. No one wants a possible competitor to know what they're ordering, because the proprietary information is so valuable, says Scott Hutton, president of ChemNavigator.

Denner, it turns out, is a little bit more laidback about it all. It all depends on the information itself, he says, when asked about his attitude toward security. The compounds he ordered weren't the final molecules that will go into clinical development trials and I don't see them as being a real threat if someone else learned about them. At such an early stage of development, he says, I don't feel this information will give a competitor any substantial advantage. Denner's order of synthetic compounds was basically the equivalent of another company's order of paper clips -- a necessary but ultimately inconsequential purchase.

Indeed, few security specialists will get too worked up over a company that fails to safeguard its maintenance, repair and operations (MRO) data, unless credit card numbers are involved. However, as purchasing become more strategic, coordinating closely with research and development, product design, and manufacturing, then the specialists get a little excited about lax security.