Students

The weakest link: Keeping your data secure in a collaborative business environment

Few companies operate independently in the Electronic Age, which means that the security vulnerability of every business partner -- outsourcer, client, whatever -- whose computer system has access to yours is a potential portal to your most sensitive data. In a presentation during the "Cultivating and Securing the Information Supply Chain" symposium sponsored by the W. P. Carey School's Center for Advancing Business through Information Technology, researchers described a Department of Defense-funded study on investing in IT security.
2006-10-25
It takes a computer security expert like Ravi S. Behara to explain why the enemy's capture of a U.S. Army Humvee represents a huge threat to the Navy's tactical network. Through its on-board computer, the Army vehicle is linked to the Marine Corps' ground networks. The Marine Corps networks are part of the Navy's tactical networks. Get access to the one, and a back door to all opens, explained Behara, an associate professor of information technology and operations management at Florida Atlantic University in Boca Raton, Florida. The Army Humvee-enemy invader scenario is a simplistic example of "risk propagation," defined as the potential spread, via electronic infection, of a security threat. In a presentation during the "Cultivating and Securing the Information Supply Chain" symposium sponsored by the W. P. Carey School's Center for Advancing Business through Information Technology, Behara and fellow researchers C. Derrick Huang and Qing Hu described a Department of Defense-funded study on investing in IT security. Using iTHINK, a brand of system-dynamic software, they model infection dynamics to see which security precautions work best. "Basically we implement a disease-spread model and apply it to the IT environment," comparing various companies' real-life security against simulated attacks. While Behara and his team study network vulnerabilities, infection rates and how long it takes to completely seal a security breach, other Florida Atlantic University researchers are looking at related topics. For instance, DoD-funded mathematicians are studying cryptology. The bad news Their research couldn't be more cutting-edge. News of frightening IT security breaches appear in the media almost every week: Item: In late June, 2006, someone stole a laptop containing confidential records of 257,800 current and former patients from the emergency room at Vassar Brothers Medical Center in Poughkeepsie, New York. Worried their information had fallen into the hands of identity thieves, thousands of panicky people flooded the hospital's hotline, some threatening lawsuits. Item: a confidential list of 25,000 Pennsylvanians who hold gun permits was mistakenly posted on the Web in September, 2006. The mishap occurred while a computer consultant was building an online records system for the Berks County Sheriff's Office in Reading, Pennsylvania. Item: In May, 2006, an employee of Hummingbird, a Toronto, Canada subcontractor, lost a piece of electronic equipment containing the names and Social Security numbers of 1.7 million customers of its client, Texas Guaranteed Student Loan Corp. of Round Rock, Texas. Item: A hacker broke into the PortTix Website in August, 2006, and accessed credit card information for approximately 2,000 customers who'd ordered tickets online. PortTix processes ticket sales for Merrill Auditorium in Portland, Maine. Item: just three weeks ago, the names, addresses, driver license numbers and Social Security numbers of 8,800 people photographed running red lights in Savannah, Georgia, were found online, where they'd been accessible for at least seven months. Inadequate firewalls on the city's server were blamed for the security breach. Incidents like these illustrate the hydra-headed collaboration common to modern-day business operations, as well as the varying vulnerabilities that distinguish business partners from each other, Behara said. Business owners are looking for danger in all the wrong places, he insisted. Problems at home "People are worried about spreading a computer virus through the Web, but the real threat is the 'secure' environment of your company and its business partners" such as suppliers, outsourcers, third-party vendors and the like, he explained. While larger companies typically spend more money on firewalls and other security measures, small concerns -- like, say, the payroll processing firm that handles your automatic deposits -- have fewer resources to devote to fending off potential attacks. Since both firms are electronically linked, the larger company's security system is affected by the viability of the smaller business' security, from its laptop encryption to its pre-employment screening. "The weakest link will always be found, eventually. An intruder comes in your back door via a smaller partner's looser security. Visualize it as layers of Swiss cheese. Over time, one day, the layers will align so that the holes line up, presenting a vulnerability. This is what happened with the 9/11 terrorists who studied the airlines," even taking practice flights cross-country in the months before the 2001 World Trade Center attacks, Behara said. Small business partners are not only more likely to unknowingly allow an intruder access, they also have fewer resources to bounce back after a devastating security breach, he added -- and sometimes, the smaller partners fold, even if they were not the original access point. The topology of threat While Behara's team won't complete its work for several more months, right now, he's got a cogent piece of advice: companies must blend traditional computer security with business-risk management for best results. Start by sketching out your company's "topology," the maps and sub-maps showing how business functions and electronic transmissions are structured and inter-connected. For instance, the first level of purely IT protection is the firewall, he noted. On the other side of the firewall are the company's servers. A second set of firewalls likely protects applications such as human resource and payroll processes. Farthest back, out of reach, are collaborative platforms with shared information, say, a database holding designs for a new aircraft that your company and Boeing are developing. This knowledge is an essential starting point because "the ability of networks to survive attacks and accidents depends on their topology," Behara said. Using infection dynamics, it is then possible to predict which areas of the company -- even which computers/users -- are vulnerable to particular types of attacks. Behara is studying the finer points of infection spread, density and rate, as well as how to stop the attack's damage by going back to "immunize" computers/users not yet infected. Within another year or so, Behara's team hopes to definitely say "this is how risk propagates between companies working together and this is how you should invest to lessen that risk." He predicts a growing number of businesses will follow the example of Toyota, "a company that spent lots of money on small suppliers, helping them become high-quality performers. They understand that if a supplier screws up on its Toyota component, it's the Toyota finished product that suffers." "Business leaders need to understand that no one is operating alone anymore, so security goes far beyond securing assets," Behara concluded. Bottom Line:
  • Few companies operate independently in the Electronic Age, which means that the security vulnerability of every business partner -- outsourcer, client, whatever -- whose computer system has access to yours is a potential portal to your most sensitive data.
  • News of frightening IT security breaches appear in the media almost every week.
  • While larger companies typically spend more money on firewalls and other security measures, small concerns -- like, say, the payroll processing firm that handles your automatic deposits -- have fewer resources to devote to fending off potential attacks.
  • Mapping a company's "topology" of collaboration within and without your firewalls is an important first step in deflecting security intruders.
KnowIT

Latest news

  • Vietnam aims to strengthen practical training in semiconductor industry

    A W. P.

  • Best airline credit cards

    An ASU agribusiness expert discusses airline miles and what travelers should look for in an…

  • ASU collaboration releases 2024 U.S. Latino GDP Report

    W. P. Carey Dean Ohad Kadan discusses ASU's partnership with the Latino Donor Collaborative.

Get the latest from the W. P. Carey School of Business

Headlines and deep dives
IT news and research
CAPTCHA
This question is needed to prevent spam submissions.

We're committed to your privacy. W. P. Carey uses the information you provide to us only to share our relevant content that you select. You may unsubscribe from these communications at any time. For more information, check out our privacy policy.

B-school tips

Learn more about top-ranked programs from ASU's W. P. Carey programs and get tips to help you succeed.

Request info

Stay in the loop

Keep up to date on the worldwide W. P. Carey alumni community - sign up for the digital magazine.

Subscribe
W. P. Carey School of Business at ASU
W. P. Carey School of Business at ASU

Give

Academics
Departments MBA Degrees Master's Degrees Undergraduate Programs PhD Programs
Connect
Calendar of Events W. P. Carey Jobs School Directory Alumni Recruiters and Corporations Contact
Maps and Locations Jobs Directory Contact ASU My ASU
Repeatedly ranked #1 in innovation (ASU ahead of MIT and Stanford), sustainability (ASU ahead of Stanford and UC Berkeley), and global impact (ASU ahead of MIT and Penn State)
Copyright and Trademark Accessibility Privacy Terms of Use Emergency