Industry View

Don't Mind Your Own Business

Your information security may be great, but what about all the other players in your extended enterprise?

By Kerry Bailey

December 06, 2006 — CSO —

To say that the last few decades have introduced major changes to modern organizations, and the environment in which they operate, would be an understatement.

One of the more notable trends is a shift away from isolated, "vertical" enterprises to highly collaborative "horizontal" networks of partners, suppliers, vendors and contractors that form what has come to be known as the extended enterprise. Fueling this transition is a need to remain competitive in an environment of rapid technological advancement, volatile markets and increasing global competition.

With today's organizations increasingly relying on the Internet for their internal and external business operations, any security decisions they make can have a serious impact on their partners. At stake is the overall security of the information infrastructure for the thousands of suppliers, collaborators and channel partners they interact with as part of the extended enterprise.

Although this business model brings numerous benefits to the organization, it comes at a price. The extended enterprise is reliant upon communication and accessibility among partners, which requires that higher levels of IT interconnectivity be maintained to facilitate these needs. By eliminating traditional layers of separation between organizations, IT-facilitated collaboration has simultaneously improved the ability to remain competitive while increasing exposure to an array of partner-related information security risks.

With each organization in the extended enterprise requiring access to critical business information such as product specifications, marketing plans and vast amounts of transactional data on product sales and movement within the supply chain, managing the security of this sensitive information flowing across the extended enterprise is a significant and under-researched topic.

Outsourcing and globalization are only adding to the complex security issue. In many industries, competition is quickly changing from firm against firm to extended enterprise against extended enterprise. Yet against this backdrop, companies are still making decisions about security with very limited information about the threats their systems face, the strength their systems offer to combat these threats and intrusions and the efficacy of additional security measures.

According to a recent survey by Cybertrust of more than 200 organizations worldwide, three-quarters of organizations felt that their business partners increased their levels of information security risk. It also found that some 13 percent of organizations terminated a business partnership because of information security concerns.

One participant in the Cybertrust survey summed it up with the following observation:

We get infected because partners are not keeping their machines up to date with anti-virus and OS patches. This is a real problemour IT department doesn't have control over what they do, yet we suffer the consequences of their poor practices.