fullsizeoutput_1e.jpeg

The weakest link: Keeping your data secure in a collaborative business environment

Few companies operate independently in the Electronic Age, which means that the security vulnerability of every business partner — outsourcer, client, whatever — whose computer system has access to yours is a potential portal to your most sensitive data. In a presentation during the "Cultivating and Securing the Information Supply Chain" symposium sponsored by the W. P. Carey School's Center for Advancing Business through Information Technology, researchers described a Department of Defense-funded study on investing in IT security.

It takes a computer security expert like Ravi S. Behara to explain why the enemy's capture of a U.S. Army Humvee represents a huge threat to the Navy's tactical network. Through its on-board computer, the Army vehicle is linked to the Marine Corps' ground networks. The Marine Corps networks are part of the Navy's tactical networks. Get access to the one, and a back door to all opens, explained Behara, an associate professor of information technology and operations management at Florida Atlantic University in Boca Raton, Florida.

The Army Humvee-enemy invader scenario is a simplistic example of "risk propagation," defined as the potential spread, via electronic infection, of a security threat. In a presentation during the "Cultivating and Securing the Information Supply Chain" symposium sponsored by the W. P. Carey School's Center for Advancing Business through Information Technology, Behara and fellow researchers C. Derrick Huang and Qing Hu described a Department of Defense-funded study on investing in IT security. Using iTHINK, a brand of system-dynamic software, they model infection dynamics to see which security precautions work best.

"Basically we implement a disease-spread model and apply it to the IT environment," comparing various companies' real-life security against simulated attacks. While Behara and his team study network vulnerabilities, infection rates and how long it takes to completely seal a security breach, other Florida Atlantic University researchers are looking at related topics. For instance, DoD-funded mathematicians are studying cryptology.

The bad news

Their research couldn't be more cutting-edge. News of frightening IT security breaches appear in the media almost every week:

Item: In late June, 2006, someone stole a laptop containing confidential records of 257,800 current and former patients from the emergency room at Vassar Brothers Medical Center in Poughkeepsie, New York. Worried their information had fallen into the hands of identity thieves, thousands of panicky people flooded the hospital's hotline, some threatening lawsuits.

Item: A confidential list of 25,000 Pennsylvanians who hold gun permits was mistakenly posted on the Web in September, 2006. The mishap occurred while a computer consultant was building an online records system for the Berks County Sheriff's Office in Reading, Pennsylvania.

Item: In May, 2006, an employee of Hummingbird, a Toronto, Canada subcontractor, lost a piece of electronic equipment containing the names and Social Security numbers of 1.7 million customers of its client, Texas Guaranteed Student Loan Corp. of Round Rock, Texas. Item: A hacker broke into the PortTix Website in August, 2006, and accessed credit card information for approximately 2,000 customers who'd ordered tickets online. PortTix processes ticket sales for Merrill Auditorium in Portland, Maine.

Item: Just three weeks ago, the names, addresses, driver license numbers and Social Security numbers of 8,800 people photographed running red lights in Savannah, Georgia, were found online, where they'd been accessible for at least seven months. Inadequate firewalls on the city's server were blamed for the security breach. Incidents like these illustrate the hydra-headed collaboration common to modern-day business operations, as well as the varying vulnerabilities that distinguish business partners from each other, Behara said. Business owners are looking for danger in all the wrong places, he insisted.

Problems at home

"People are worried about spreading a computer virus through the Web, but the real threat is the 'secure' environment of your company and its business partners" such as suppliers, outsourcers, third-party vendors and the like, he explained.

While larger companies typically spend more money on firewalls and other security measures, small concerns — like, say, the payroll processing firm that handles your automatic deposits — have fewer resources to devote to fending off potential attacks. Since both firms are electronically linked, the larger company's security system is affected by the viability of the smaller business' security, from its laptop encryption to its pre-employment screening.

"The weakest link will always be found, eventually. An intruder comes in your back door via a smaller partner's looser security. Visualize it as layers of Swiss cheese. Over time, one day, the layers will align so that the holes line up, presenting a vulnerability.

This is what happened with the 9/11 terrorists who studied the airlines," even taking practice flights cross-country in the months before the 2001 World Trade Center attacks, Behara said. Small business partners are not only more likely to unknowingly allow an intruder access, they also have fewer resources to bounce back after a devastating security breach, he added — and sometimes, the smaller partners fold, even if they were not the original access point.

The topology of threat

While Behara's team won't complete its work for several more months, right now, he's got a cogent piece of advice: companies must blend traditional computer security with business-risk management for best results. Start by sketching out your company's "topology," the maps and sub-maps showing how business functions and electronic transmissions are structured and inter-connected. For instance, the first level of purely IT protection is the firewall, he noted. On the other side of the firewall are the company's servers.

A second set of firewalls likely protects applications such as human resource and payroll processes. Farthest back, out of reach, are collaborative platforms with shared information, say, a database holding designs for a new aircraft that your company and Boeing are developing. This knowledge is an essential starting point because "the ability of networks to survive attacks and accidents depends on their topology," Behara said. Using infection dynamics, it is then possible to predict which areas of the company — even which computers/users — are vulnerable to particular types of attacks.

Behara is studying the finer points of infection spread, density and rate, as well as how to stop the attack's damage by going back to "immunize" computers/users not yet infected. Within another year or so, Behara's team hopes to definitely say "this is how risk propagates between companies working together and this is how you should invest to lessen that risk."

He predicts a growing number of businesses will follow the example of Toyota, "a company that spent lots of money on small suppliers, helping them become high-quality performers. They understand that if a supplier screws up on its Toyota component, it's the Toyota finished product that suffers."

"Business leaders need to understand that no one is operating alone anymore, so security goes far beyond securing assets," Behara concluded.

Bottom Line:

  • Few companies operate independently in the Electronic Age, which means that the security vulnerability of every business partner — outsourcer, client, whatever — whose computer system has access to yours is a potential portal to your most sensitive data.
  • News of frightening IT security breaches appear in the media almost every week.
  • While larger companies typically spend more money on firewalls and other security measures, small concerns — like, say, the payroll processing firm that handles your automatic deposits — have fewer resources to devote to fending off potential attacks.
  • Mapping a company's "topology" of collaboration within and without your firewalls is an important first step in deflecting security intruders.

Latest news