Skip Links

Corporate security threats many times come from customers, business partners

Companies wonder: Is the guy we do business with secure?

By , Network World
April 26, 2011 04:15 PM ET

Network World - While a company can do everything possible for its own network security, in the age of e-commerce and online banking that's not enough. Increasingly, IT managers have to ask, Is the guy we do business with the loose wire in security?

The answer may be "yes" because the customer, client and trading partner isn't meeting expectations about secure data-sharing, such as using encryption to shield sensitive information. And when their PCs are hijacked by cybercrooks or their employees transmit sensitive data in a way that violates regulatory statutes, suddenly it's your company's problem, too.

MORE ON SECURITY: 20 hot IT security issues

In healthcare, data related to personal health information (PHI) and personally identifiable information (PII) which is transmitted to business partners has to be kept confidential through encryption, notes Richard DeRoche, corporate director of information technology at for Lutheran Life Communities. The healthcare provider, with eight locations and 1,600 employees, provides older adults with retirement facilities, home care and nursing services in Illinois, Indiana and Florida.

But when Lutheran Life Communities installed a data-loss prevention device -- in this case, one from Palisade Systems -- to make sure PHI and PII data transmissions were sent correctly, the big shock was the discovery that it was business partners that had issues.

"85% to 90% of the violations are inbound," says DeRoche, noting that while employees at Lutheran Life Communities were, by and large, following instructions about encrypting sensitive data, the healthcare provider's business partners and even a state agency were the ones making the most mistakes in that regard.

That ignited debate in the legal division at Lutheran Life Communities as to whether the company should even be accepting email that appears to violate rules such as HIPAA and the HITECH Act, regulations that carry punishment and fines for violations.

DeRoche says the company has decided to start sending warning messages back to the originators of email that violates its security and privacy policy, saying the company can't willingly accept the messages in their current form. He notes there's a need to establish more business-partner agreements where these type of data-protection issues are spelled out in advance.

Lutheran Life Communities, which like many firms has not found it easy to establish a way to get myriad business partners using encryption, set up Microsoft SharePoint as an external portal intended for business partners to share confidential data with the company. It's a password- and encryption-based system that works but is a tad "awkward" for end users, DeRoche notes.

Banking is another industry where mistakes made by others have an unwanted impact.

Cybercriminals are proving adept in tricking both retail and corporate online banking customers, sometimes carrying out elaborate scams to lure victims to fake phishing sites to steal account information or even hijacking PCs with Trojan software to make fraudulent transactions through Automated Clearinghouse (ACH) services.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News