Open Market, Security Lockdown

Information security has always been an issue for companies, but now, as company processes become increasingly automated, many would argue that sensitive and competitive information is more vulnerable than it's ever been.

[From iSource Business, June 2001] Forget the annual report. A better way to see where a company is headed is a surreptitious look at its legal bills. Is it planning on going public? Is it merging with another firm or forming a joint venture? Is it bracing for a possible class action suit? Is it about to patent a revolutionary new product design? Gaining access to this information may violate any number of legal statutes, but it's pure gold to a competitor, not to mention shareholders or the media if you are big enough and public enough, like the United Parcel Service.

So when UPS decided to invest in a system that would automate, aggregate and analyze the information in the invoices that are sent from the 50 or so global law firms handling its affairs, executives placed security high on the list of selection criteria. We would have really been fools if we went with a solution that wasn't secure, says Jim Katsafanas, UPS' document exchange product manager.

Another Risk?

The number and types of risks a company must deal with these days just keeps growing and growing: being undersold by a startup dot-com that came out of nowhere. Hacker attacks by bored, mischievous 15-year-olds. Public relations fiascoes that spread across the country within hours via e-mail. Volatile and fluctuating financial markets, and, now, B2B security concerns.

Information, or data, security has always been an issue for companies, but it has become especially important over the last 10 years, as corporate espionage has gained a higher level of sophistication. But now, as companies increasingly automate supply chain operations, from research and development to procurement to manufacturing, many would argue that sensitive and competitive information is at an even greater risk than before. A lot of these exchanges and integrated supply chain systems are protected only with rudimentary authentication technologies, says Matthew Kovar, program manager for e-Networks and Broadband Access at the Boston-based Yankee Group.

Legal protections are also rudimentary, in many cases. Inappropriate data sharing in some e-marketplaces is a real concern among many companies, and there is little case law in place to protect or even guide participants.

There are other concerns as well, such as unresolved questions about who owns what information and who can sell it. There is hardly an e-marketplace these days successful enough to ignore one of its biggest profit sources -- the aggregation and sale of market data gleaned from its Web site. And, while consumers have some measure of protection, however limited that may be, businesses do not. Under U.S. law, businesses themselves do not have a right of privacy in their data, says Bart Lazar, partner in the high-tech group of the Chicago-based law firm, Seyfarth Shaw. Unless there is a confidentiality agreement in place, by doing business with an exchange the company is giving the exchange the right to use its information. And often these privacy statements merely require participants to keep other members' information private, but don't restrict the marketplace itself.

For their part, companies are well aware of the risks. In one recent Forrester Research survey, 53 percent of companies contacted said they worried about security in e-marketplaces and 48 percent worried about privacy and abuse of market information. Paradoxically, however, few companies take more than the basic precautions. The level of urgency is not there yet, says Mike Rothman, executive vice president of SHYM Technologies, a Nedham, Mass.-based Internet security company.

This is not to say companies should completely shun the benefits of automating and integrating a supply chain operation -- a stance that, these days, would be akin to embracing the views of the Flat Earth Society. However, there are a few myths about security that should be debunked before a company launches into such a project, or at least before it suffers a serious loss due to lax standards and procedures. As Rothman says, We have all seen the cycle before. People don't develop a sense of urgency about these things until someone else becomes road kill.

Myth 1: It's Not That Risky Out There

Well, this one isn't really a myth -- it's more of an unproven hypothesis. The truth is, no one knows for sure how risky e-commerce is, with one group asserting that the problem is underreported and underestimated and another faction claiming that the much-touted security risks are largely hype perpetrated by providers of security services. For once, statistics don't shed much light on the problem, as oftentimes they are contradictory. Most analysts agree that if there is a problem, it will be underreported because there is no marketplace exchange or company that would willingly publicize that its security has been breached. I am sure we don't know more than 5 percent of what is really happening out there, says Yankee Group's Kovar.

For his part, UPS' Katsafanas is firmly on the side of the believers. There are absolutely dangers out there, he says. To think this is overhype is an irresponsible attitude to take. Statistics may be low or incomplete, he says, but it is a difficult type of loss to measure. If people are stealing your data you don't necessarily know it.

UPS eventually chose, a Houston-based e-business provider of security software that facilitates the secure exchange of information between trading partners and applications, to protect its legal communications as it tracked and analyzed the spend in this particular area.

Now, Katsafanas says, when one of our law firms wants to move files from their point of business to ours electronically, we know when it left and when it arrived. Digital certificates, which are issued by DataCert itself, control who has access to what information. UPS has since rebranded the DataCert product and is marketing it under the UPS Document Exchange Invoices.

Other analysts tend to minimize security concerns. Security is a fear, but in some cases it has been overrated as a real threat, says Rob Burt, partner in PricewaterhouseCoopers' automotive practice. Indeed, some go so far as to argue that trade secrets are safer online than they are in a paper-based world because their paths are easier to track. The same can't always be said about a briefcase that is full of documents.

Myth 2: It's Only Paperclips. Who Cares If Someone Sees My Purchasing Information?

As Director of Molecular and Cellular Biology at Texas Biotechnology Corp., Larry Denner is in charge of expanding the company's drug discovery capabilities. e-Commerce finally made an appearance in his highly specialized and sophisticated neck of the woods when was launched, a B2B site dedicated to the pharmaceutical industry that has taken great pains to ensure security for its users, since privacy is a very important issue for the drug industry. No one wants a possible competitor to know what they're ordering, because the proprietary information is so valuable, says Scott Hutton, president of ChemNavigator.

Denner, it turns out, is a little bit more laidback about it all. It all depends on the information itself, he says, when asked about his attitude toward security. The compounds he ordered weren't the final molecules that will go into clinical development trials and I don't see them as being a real threat if someone else learned about them. At such an early stage of development, he says, I don't feel this information will give a competitor any substantial advantage. Denner's order of synthetic compounds was basically the equivalent of another company's order of paper clips -- a necessary but ultimately inconsequential purchase.

Indeed, few security specialists will get too worked up over a company that fails to safeguard its maintenance, repair and operations (MRO) data, unless credit card numbers are involved. However, as purchasing become more strategic, coordinating closely with research and development, product design, and manufacturing, then the specialists get a little excited about lax security.

Use of advanced security is paramount when you are talking about direct materials, Rothman says. This is something that Denner, for instance, readily acknowledges. We have considered doing more advanced contracts, and that information would have to have a higher level of security. And if we had a clinical development candidate we would be very concerned about security, he says.

But companies should safeguard the details on what would be considered a benign purchase, if only out of habit. If word were to get out about a specially negotiated price, for example, it could put strains on a relationship with a supplier.

The potential for fraud must also be considered, even at this level of transaction, says Alex Milward, senior manager in Andersen Consulting's European e-Procurement practice. The purchase order (PO) that is created by a procurement system can be a legally binding contract, and the buying organization needs to protect itself against an unscrupulous supplier altering the PO. The risk for this happening is low, he says, but as more buy-sell relationships become electronic, as opposed to personal, it is something that probably will occur more and more in the future.

However, the consequences rapidly rise for more strategic purchases, he says. As exchanges start to offer collaboration and forecasting services, there will be opportunities to exchange future spend plans between buyers and sellers. It may be possible to discern a company's strategy, especially if there is a significant change in spend or change of suppliers. Exchanges need to be able to protect members' plans, especially when buying members of the exchange are competitors.

If a company is expanding into new areas or developing new products the purchasing patterns could be an indicator of future trends, says John Valeri, partner in Ernst & Young's e-Risk Solutions practice in New York. Supplier inquiries could give a competitor clues as to the projects a company might be working on in the future, says Brian Hardacre, CEO of Supply Side Business Solutions, a Chester-based consulting company in Northern England. Order information from certain suppliers might give a competitor valuable information, not only on how well the company is performing, but also on what products are selling well. A competitor might also be able to divine the direction of your research and development from information about orders. Indeed, requests for proposals (RFPs) usually contain detailed information about product designs.

Myth 3: The Technology Will Protect Me

Henry Hill, vice president of sales for, remembers the time a guest toured the facility in which the company's server is located. He had military security clearance from the Gulf War, but they wouldn't let him in the room with the server, which is guarded 24 hours a day. I'm an officer of this company and I can't even get in on my own, Hill says.

Even if a site or system deploys the best technology has to offer, it is not enough if the proper procedures are not in place. Ironically, an overreliance on technology to protect an e-commerce operation is probably the most common mistake companies make.

No system is 100 percent safe and that is not necessarily a technology issue, says Kovar. We are still subject to social engineering issues like when a user calls up security to say RGee, I forgot my password,' and more often than not he gets it by just giving his Social Security number. Humans are fallible and can sometimes be very easily fooled.

Consider digital certificates. Technically -- and now legally -- they are regarded as safe and valid instruments by which a person can identify himself online. The problem is the authentication of the user. Some only require a name and an e-mail address. Others have higher standards and actually check out the person who is applying for the certificate.

Security policies need to be all-pervasive throughout an organization, says Roberta Witty, Gartner's research director in information security strategies. In most organizations, they are largely managed only as an information technology (IT) function, she says.

To help companies better allocate IT funding for this area, Gartner Group developed a Total Cost of Ownership model in which 30 or so key security activities have been identified. All of them, Witty says, are comprised of people, processes and tools 9 not just technology components.

The best technology is key to any security strategy. Basically, Kovar says, we are always one release or one update behind the latest hacking tools. The point, however, is that companies must not look for a technology panacea for lax procedures, says SHYM's Rothman.

Myth 4: There's No Way to Tell if a Marketplace is Really Secure

First of all, understand that a marketplace exchange is just as vested in maintaining a secure environment as its members are -- or at least in maintaining the perception of security. Making sure data is secure is essential to an exchange's longevity, Rothman says. Even if a competitor has equity interest, an exchange won't be around for too long if word gets out that information has been compromised.

Yet fears and suspicions about their neutrality remain. Hence the growing popularity of third-party validation -- a neutral company that gives a site its stamp of approval after investigating security practices. The site is then routinely re-evaluated by the third party, usually every two to three months, to make sure the security procedures are being followed. Not that this is a foolproof guarantee, either. Because the field is so new, no best practices have been established to determine which is the ideal model to follow. One of the problems is that there is no common set of standards for data protection in these marketplaces, says Valeri, of Ernst & Young, which provides third-party validation. Unfortunately, Valeri says, there are many different ways to protect confidential information, some better than others. Another problem is that most of these third parties are paid by the marketplace exchange itself, which could be perceived to be a conflict of interest.

Nonetheless, the demand for such services is growing rapidly. Indeed, advisors are urging clients to look for such seals of approval when considering one exchange over another. Companies ought to be proactive in getting assurance from a third party about an exchange, says Douglas Cale, principal with Deloitte Consulting in Detroit. It should be the expectation of members that the exchange can and will demonstrate that the right kind of controls are in place. And if they still are not satisfied they should send in their own auditors.

However, when it comes to the most sensitive of supply chain activities, companies still remain leery of the public exchanges. Security is really driving the move towards private exchanges, says Matt Porta, partner in charge of e-Market Strategy for PricewaterhouseCoopers in San Francisco. This is a growing trend, especially in the high-tech industry, he says, where information about the supply chain is considered to be very competitive. As online activities become more collaborative, some companies just don't want to risk sharing information in public exchanges, because they still don't trust that their data is really secure.