Purchasing and supply management professionals don't need to become experts on data security—that's a job for the information technology (IT) people in a company. But as they continue to push forward with various e-procurement, e-sourcing, collaborative design and manufacturing software implementations, data security is an issue that purchasing and supply managers can ill afford to ignore. With that in mind, PURCHASING Magazine asked a group of data security experts to create a primer for purchasing professionals on what they need to think about when evaluating potential e-commerce software and service providers as well as supply chain integration projects with suppliers. Here are their Top 12 "need to knows" on securing sensitive company data in Web-based applications:

1. Data security doesn't exist—at least not 100%.

"Most people believe that somehow you can have absolute security," says Ian Poynter, president of Cambridge, Mass.-based security consulting firm, Jerboa Inc. "But, in reality, there's no such thing as 100% security. Anybody who tells you there is doesn't know what they're talking about."

A sobering thought: Hugh Voight, CEO of Minneapolis-based security consulting firm Espiria says the company, which is often hired to perform system penetration tests (known as "white hat" hacks), has never once encountered a system it couldn't crack. "In some cases, we've succeeded in just 10-15 minutes," Voight says. "The longest has taken a full day." The U.S. Air Force, Voight notes, spends hundreds of millions per year on computer security and still gets hacked 15 times per day on average. "Most companies have no chance of spending that much on data security, so they have to assume they're going to be less secure," Voight says.

2. While data can never be completely secure on the Web, this doesn't mean a company should not take part in e-commerce. Rather, it means the company needs to become very good at understanding the value of its data, the probabilities that its data will become exposed, the costs that might be associated with exposure of the data, and the costs that might be associated with protecting—and overprotecting—the data.

The problem is that applying classic risk management techniques to data can be extremely difficult. For example, while risks associated with using procurement cards for online buys might be easy to document with some precision, there's no science for assessing the probability that a company's competitors might obtain a CAD diagram that has been attached to an electronic RFQ (eRFQ). What's more, there's no science to predict the effect on a company's stock price should it become generally known that its competitors have obtained its CAD diagram or that its information systems have been raided in any one of a hundred other ways.

"There is technology to help you manage, and in some cases, to decrease the risks to data security," says Poynter. "But a technological system of any kind won't help you understand the true value of your information. So, the real first step, in our book, is to step back from technology and assess the value of data. It's a very difficult question, which is one of the reasons most people don't want to answer it."

If this problem alone isn't sufficiently complex, Poynter notes that, "Perceived value of data can be very different from actual value." For example, he says, people inside companies often see employee directories, with names, phone numbers and e-mail addresses, as not very valuable. "But to employment recruiters," he notes, "these directories are gold dust."

The result is that some companies might spend piles of money to secure data that outsiders don't see as particularly valuable. "They may be securing data excessively in order to make themselves feel comfortable," Poynter says.

Espiria's Voight says companies shouldn't become paralyzed by this complexity. "We use a process that evaluates information security requirements on a scale of zero to five (with five being the most secure) according to perceived sensitivity of information." The bad news: While most companies would like to be in the 3.5-4.5 range, Voight says 1-1.5 is the average data security rating earned by the companies and e-commerce service providers that Espiria has evaluated so far. "We haven't found anybody that eclipses the low threes," he notes, "which means security gaps are ubiquitous in the supply chain from customers, to e-commerce service providers, to suppliers." And, while Voight says it's certainly technologically possible to achieve appropriate data security levels, he emphasizes the importance of ensuring that measures adopted are "100% correlated with risks."

Poynter elaborates: "If I'm going to increase my revenues a hundred fold by doing a particular e-commerce application, and there's a risk that 1% of the transactions will be phony, I may not care."

3. Responsibility for data security should not be turned over entirely to the IT organization in a company.

When it comes to data security, companies are most often afraid of three things:

• Direct or indirect financial loss,
• Loss of brand value to customers in the event of an embarrassing incident, and
• Possibility that some misuse of a system might result in liability for the corporation.

The key is that all three are primary concerns, not of the IT organization, but rather, of the company's CFO and legal counsel. Businesses simply need to assume that some people in- and outside of—their organization are not completely trustworthy and no technology can solve that problem. High-level managers need to set the tone to approach data security from a total business context and not just a technology perspective.

Poynter agrees: "Information security is perceived to be an IT problem, but it's really a corporate problem." And this is especially true in organizations that don't have a person at the executive level that manages technology (a CIO, for example).

"Someone in IT," Poynter says, "might think it unlikely that industrial espionage would occur against their company, but the executive management team may know of three cases in the last year that have been carefully hushed up." To illustrate his point, Poynter tells the story of one client that had received a call from the chief executive of its arch competitor. The competitor, it turns out, had been buying—from a "strategic consulting firm"—intelligence that, it felt, was far too precise and too accurate to have been obtained legally. Subsequent investigation revealed that the client's vice president of marketing had been funneling the data to a third party and splitting the profits on its sale. "This was not a story they were going to share with IT employees," Poynter says. "So, to understand the risk that someone may try to steal information requires input from many different parts of a company."

4. The risk of data falling into the wrong hands depends on how well a system is designed—from day one—for security.

Data security has countless dimensions (see graphics), and while purchasing execs don't need to become experts, they certainly need to be asking some poignant questions when screening potential e-commerce service providers.

A good one to start with: At what point in the design of their software or network system did the e-commerce software or service provider start thinking about data security?

"Too many companies," observes Steve Brooke, CIO of Atlanta-based e-RFQ provider Procuri, "have taken a Band-Aid approach to data security. Instead of designing security into their systems, they're spending money after the fact on solutions that protect them at the periphery—the point of entry—to their systems."

The danger with this approach, according to Brooke and many other data security experts, is that hackers, once through these peripheral defenses, can end up with free run of a system and all its data. "It's a mistake," says Brooke, "to focus all your security efforts on the same point where hackers are focusing their attention."

Sundar Raghavan, director of product marketing for Ariba, which helps companies manage spend, says the same thing. "Security needs to be built in from the ground up. And this is especially important for hosted applications," he says.

5. "Holistic" is a term many experts use to describe good security architecture, but this is the ideal—not the reality—in today's e-commerce marketplace.

Last year, when PURCHASING Magazine was compiling its E-CENSUS listing of e-commerce software and service providers, it asked each company to describe the mechanisms they had in place to protect clients' data. The overwhelming number of responses focused on two aspects: firewalls and encryption.

But these measures, according to the security experts, guard only the perimeter of a system and don't account for what might happen when a person crosses the border—as they must do routinely in Internet-based systems.

Anup Ghosh, author of E-Commerce Security: Weak Links, Best Defenses, (Wiley, 1998) and Security and Privacy for E-business (Wiley, 2001) and vice president of research with Cigital, based in Dulles, Va., points out that, "Most computer break-ins occur when people take advantage of flaws that are written into software code." The e-mail-based viruses and worms that have been wrecking havoc in corporate computer networks are good examples of this phenomenon.

Ideally, Ghosh says, "software people would be thinking about security from the very beginning. Security would be built into applications, which is much less expensive than fixing software after the fact." In reality, however, he says, "There's too much pressure in the industry to get products out the door quickly." And, very often, he notes, legacy applications that were never designed to be open systems are now being offered via the Web.

"Software people don't usually find religion about security until they've been burned once," Ghosh says. So he advises purchasing execs to take a careful look at the measures their software and applications service providers (ASPs) have in place for protecting data from people who get past the usual perimeter security. "Assuming someone has gotten through the external layers, how do they prevent people from misusing their software? What measures do they have in place for disaster recovery?"

What's more, he says, purchasing execs need to make sure their e-commerce providers have specific procedures in place for staying up-to-date about known security vulnerabilities in the software they are deploying, obtaining patches—fixes written after the fact—from software developers, and applying the patches consistently and appropriately.

There are a variety of fronts on which network security defenses are built, but just as quickly there are hackers finding ways to penetrate those networks. Information on security vulnerabilities can spread worldwide very quickly and while the software makers monitor these things closely, and usually provide patches very quickly, the problem comes when a company's overworked systems administrators obtain and apply patches only sporadically or do so inappropriately.

On the software issue, Jerboa's Poynter says there are people looking for ways to statistically analyze security vulnerabilities with an eye to developing actuarial tables that could, for example, predict the likelihood of a common security vulnerability occurring per thousand lines of code. Software developers, he says, might use the data to build better security into computer applications at the ground level. "The software developer would be in a position to say 'The normal risk of X common security vulnerability is Y per Z lines of code, so what are we going to do to reduce our risk?'" But Poynter admits that even this small step to establishing a science for data risk management "is very much in its infancy" and doesn't address the larger problem of how to value a company's data.

6. The security of an information system is only as strong as its weakest link.

The great e-commerce vision is to have hundreds, even thousands, of interconnected information networks, but the risks of security breaches proliferate with each new layer of complexity, so the security evaluation process must be ongoing. For example, every time an ASP takes on a new partner, the client should be interested in the security vulnerabilities the new partner might bring to the table. Purchasing execs should be particularly wary of ASPs that don't ask them a few questions about their own security policies and procedures as well as making some simple requests as to how their people should behave when using the system.

"Any time we open a port between ours and another system, it creates another opportunity for someone to intrude into our system," says Brooke of Procuri. "So, for us to integrate with a client, we're going to need to feel very confident that they're secure. We're going to be looking for policies and controls before we'll build an interface to start exchanging data."

According to Espiria's Voight, the propagation or risk can be especially troublesome when companies merge with or acquire other companies. "What may have been a very secure environment, may be very insecure after the merger or acquisition."

Jay Chaudry, founder and CEO of Core Harbor, an Atlanta-based ASP that hosts Ariba's e-procurement software, and founder of Secure IT, a security firm now owned by VeriSign, says one of the first things he looks at are a client's policies regarding security. "The assessment has to go both ways because we are moving information in both directions. "The biggest thing I would like to influence," he adds, "is clients' authorization and authentication policies."

Still, Chaudry believes the propagation of risk should not prevent companies from creating network integration points with their suppliers and customers. "It is not as if someone breaks the security at one point, they will then have free run of our entire network."

By way of example, Chaudry notes that Ariba's punch out capability allows a user to go to Dell and configure a laptop that he or she wants to buy. "If Dell gets compromised that doesn't mean the hacker can come to our site. We don't even allow two-way access." Rather, he says, Core Harbor gives Dell an ID and password. Based on that, Dell allows the user into its network to configure a laptop and then returns a shopping cart to Core Harbor. "The access is narrow and well defined. The only thing that can come back is a shopping cart. Anything else would set off the alarm bells," Chaudry says.

"In an ideal world," says Poynter, "the ASP will have some idea about the minimum level of security a client should be imposing on itself. But the world is not ideal and ultimately, a company has to look after its own data."

7. IT security systems are like safety guards on industrial machinery. You have to make sure people use them.

"The end user," says Brooke of Procuri, "is very concerned about security up to the point where it constrains their ability to use and manipulate a system easily. So, the designers of a system need to be concerned about balancing strong security features with flexibility and functionality for users."

Core Harbor's Chaudry says, "Good companies do what we call tiered security architecture, which is really a series of hurdles a person has to leap before they can access valuable data, plus real-time monitoring to catch anyone who might be trying to leap the hurdles." However, Chaudry notes that this type of security "can be very hard on the performance of applications. If they become too slow, people will not use them. So you need to balance the need for performance and ease of use with how secure you want to make the system."

Usability, agrees Poynter, is a big problem with security. "If security mechanisms are not usable, then people find ways to go around them or they refuse to use the system altogether." Example: "If you're building a system that is going to be used by 10 partners, then 10 partners with 10 tokens and 10 somewhat awkward mechanisms to get in can be offset with training, a usability study and various other mechanisms. But if you're dealing with 10,000 users, then tokens start to be a real problem and other mechanisms start to become more useful."

8. The most dangerous attack is the one you never know happened.

"There are two kinds of attacks," Poynter says. First, there are the in-your-face, graffiti-style attacks that are usually, but not always, perpetrated by people with axes to grind or by what Poynter refers to as "script kiddies"—people who've downloaded programs that exploit particular problems and are just having fun "tweaking the noses of big corporations."

Graffiti attacks, Poynter says, are actually the best kind "because you know they happened. They jog you into action."

A second, far more insidious kind of attack, according to Poynter, can be loosely termed "espionage" because the perpetrator does not want to be found. "When someone steals your car," Poynter says, "you know it's gone. But with electronic information it's like someone stealing your car and leaving a copy of it behind. With a car, you wouldn't care, but the value of information is in the bits. Consequently, it's very difficult to assess your true risk."

The Computer Security Institute and San Francisco office of the FBI's Computer Intrusion Squad, poll IT managers annually about the number of data security incidents their companies have experienced in the past year. The latest survey shows that 85% of respondents (primarily large corporations and government agencies) detected computer security breaches in the past year. Sixty-four percent of respondents acknowledged financial losses due to the breaches. "The problem," says Poynter, "is they're measuring only incidents that were detected. So we have to extrapolate from those figures and assume there are more breaches happening, but we don't know how many."

The best thing a company can do, Poynter says, apart from monitoring its systems and looking for instances of suspicious behavior, is to base its assumption of how likely it is that someone will break in on the perceived value of the information they are likely to try and obtain.

9. Choosing to keep everything in-house or "behind a firewall" is not necessarily the best route to data security. In fact, ASPs that pay a great deal of attention to security may be far more secure places to store data than internal, legacy computer systems that were designed long before the Internet or security came into play.

"Hosting your own e-procurement system," says Cignal's Ghosh, "won't necessarily make you more secure. Few companies have the know-how to configure systems securely and they certainly don't know how to write software securely. In fact, you can make a good argument that it's better to use ASPs that have good security policies and controls. The ASP will have people whose sole job it is to worry about security and who have the most up-to-the-minute information to do this."

"It may be better to outsource to a company that has experience and really understands security," Poynter says. "But a company needs to have the tools to make sure that's really true. We've helped our customers work with different outsourced services to assess their security and sometimes I come away feeling really happy and other times I come away saying 'Don't touch it!'"

Says Core Harbor's Chaudry: "It's true that if an ASP understands security and has a focus on it, they can do a better job than a typical large company. At Secure IT we conducted well over 200 security tests as if they were coming from outsiders and there was not a single case where we were not able to compromise a system." While he notes that companies have become more focused on information security since that time, he says, "There are still quite a few holes sitting out there."

10. Security 'carpetbaggers' are everywhere, so companies need to be wary of the so-called experts they let into their systems. The best security experts take a broad view and don't place too much emphasis on any one aspect.

Raghavan of Ariba says: "Our customers take security seriously. Very often, they hire security consulting firms that make strong recommendations around encryption and data security, but in addition to these strong measures, companies sometimes forget to focus on simple things such as teaching good security practices to users of a system."

Says Poynter: "A frustration for ASPs is that their clients are justifiably picking holes in what they're doing from a security standpoint. The problem is they often run into 'experts' who want to go down a rat hole about a particular issue that isn't as important as it might seem."

There is also what Poynter refers to as the 'kids with clipboards' problem in security auditing. "The approach works well for financial auditing because you need checklists and standard things to look at. But, where information security is concerned, auditors wielding checklists with no real experience to draw upon can often pass systems with very serious security holes."

And while most experts say companies should insist on third-party security audits for their e-commerce service providers, the most security-conscious service providers are likely to put up some resistance or at least request roles in choosing their testers. For example, Procuri's Brooke remarks that "Some of the most notorious hacking episodes have been perpetrated by people claiming to be security specialists attempting to prove a site has security holes. We need to be very careful about the people we invite in to audit our security or to conduct intrusion tests."

11. The notion of data security needs to be expanded to include both privacy and portability of data.

As Cignal's Ghosh points out: "It's not clear which of the many e-commerce software and service providers are going to survive over the long term. If I am going to put my business in someone else's hands, my approach to security needs to look at the likelihood they will stay in business, because with industry standards lacking, data portability becomes a big issue."

"The hosting idea really terrifies me," says Jerboa's Poynter. "The first question out of my mouth is 'How do I get my data out of your system if I decide not to use it anymore?' The answer is always: 'We'll do such a good job that no one will ever want to leave.' But there are many reasons a company might need to retrieve its data. Say, for example, it's splitting in two. Service providers need to give people information about how they're going to get data out of a system in a format they can use, so they can properly assess their decommissioning costs."

The rules also remain unwritten as to what ASPs can or will do with the data they collect and aggregate about transactions that occur over their networks. While such data aggregation and "market intelligence" activities may not be malicious, they certainly fall under the purview of security for client companies.

As Poynter sees it: "Some ASPs may believe they own your data and that perception needs to be corrected. Even if you agree to share data—statistical, demographic or whatever—with an ASP, you need to be clear about what the ASP owns. You need to make sure the ASP's activities don't violate any privacy policies you've set up for yourself."

12. Risks to data security are rising because the Internet is concentrating large quantities of data in specific locations.

A company's Internet connection is a likely target for hacking. The Computer Security Institute/FBI poll finds more than 70% of respondents citing their company's Internet connection as a frequent point of attack, up from 59% in 2000, while only 31% cited internal systems as a point of attack in 2001. And when five or 10 companies in a given industry start using a single electronic trading exchange, the potential reward for breaching the exchange's security rises astronomically in relation to the reward for hacking just one of those companies.

Wherever there is concentration of data, says Raghavan of Ariba, there is an increased risk of attack. "That's why we've made sure there is not one key that opens everything in our system."

But as Poynter sees it: "We have a tendency to assume that technology is to blame for the problem instead of just being something that makes it worse.

"People have been shuffling paper for years. Now that the information is electronic, there is a perceived increased risk. And there probably is an increased risk because now it's more easily accessible. But there's also the risk that someone sends something to a printer and leaves it sitting there. That's the paper progeny. It's sort of the Mr. Duetsch-leaving-the-CIA files-on-his-home-PC problem. The CIA can do all it wants to secure its network but if someone copies those files onto a disk, then manages to take it out of the building and puts the files on his or her home computer, the CIA is now as secure as the home computer instead of the wonder system they have built with guards at the door."

The key, Poynter argues, is balance. "Its important not to allow yourself to be whipped into a hysteria based on technology alone. Remember, it's not a technology problem. It's a data management problem, which is a corporate information problem. I'd love to say do these five things and everything will be fine, but security is almost entirely gray. It requires an understanding of the functioning of people."

Poynter says much of the value he provides to clients comes from simply "spending a day with the right people in a room and brainstorming about the value of information, about the kinds of users a system will have, about what restrictions can be placed on them, what processes can be applied, how the processes can be enforced, how much control is possible, and how much control they are prepared to give up."

David Hannon also contributed to this report.