Watch out for collaborative business risks

Business to business security

Business depends on collaboration between companies but when they decide to connect electronically, the whole thing becomes much more efficient - and a bigger security risk. Good planning, design and clever software are needed to do it safely.

The Poupart Group are one of the country's leading fresh produce companies. Working with Tectura, a Microsoft Partner, they introduced a system that lets growers upload forecasts of production onto their business planning software over the internet using a website. It also lets them link to supermarkets using electronic document interchange (EDI). This automation contributed to a 45 per cent increase in turnover and a reduction in costs and headcount. Digital collaboration works.

However, systems like this rely on multi-layered security. On a basic level, company networks and computers need to be protected against intruders, viruses and spyware. Systems housing business-critical servers need a higher level of redundancy than an everyday laptop or PC. Controlling access is vital, and companies need strong barriers to keep public internet and their private databases apart.

Top of page

Secure communications

For business to business collaboration to work, you need trust at two levels. The companies must trust one another on a business level and they must trust the infrastructure. "The two go hand in hand," says Richard Hall, CTO of Avanade UK, an IT consultancy that was formed in 2000 as a joint venture between Microsoft and Accenture.

The work really starts at the point where different companies communicate. EDI often eschews the internet altogether, relying on leased lines or telephone connections. When it does not, such as the Bolero paperless trading system, robust encryption and authentication is required. When, as with Poupart's growers, information is entered on a web front end, extra steps are required to separate the web server that is used to collect the data and the SQL server where the company database is kept. Typically, no data is accessible outside the firewall, and the only connection through the firewall is to allow the web server to talk to the database. This keeps outsiders out.

In supply chains, one company is usually dominant. They may be the main middle man (for example, a big distributor) or the ultimate buyer (such as a supermarket). The dominant player will set security policies and cascade them up and down the supply chain. This is a kind of enlightened selfishness. IT risks to a key supplier threaten the buyer as much as the seller.

There's a famous New Yorker cartoon from the dot.com era that shows a dog using a computer. He says "on the internet, no-one knows you're a dog." However, when it comes to big money deals online, you had better know who you are dealing with. This is why authentication is such a big issue.

One company in a supply chain will also take it upon themselves to maintain directories of users, authenticate them and issue certificates or other methods of allowing users to prove they are who they say they are. A user name and a password may be sufficient to buy one book on Amazon, but if you're buying ten thousand pounds worth of books, you might expect everyone involved to use something like a smartcard, digital certificate or cryptographic token to identify themselves.

Top of page

Sharing and caring

Anglia Business Solutions helped Anglia Telecom (no relation, despite the similar name) to move to a self-service model for its dealers. They can look up the technical specs of mobile phones and, more importantly, see what phones are in stock, place orders and see when customers activated their phones and, hence, when they would be paid their commission. In the past checking this information tied up a telephone operator. Now 60 per cent of their business is done online, and the system is saving dealers time and Anglia money.

Business to business ecommerce is not the only form of inter-company collaboration. Simply sharing information with partners, say in a joint venture or R&D collaboration, is vital. The trick here is portion control. Don't share too much; don't share too little.

"The ultimate aim is to have people help themselves to information that you would normally supply," says David Hurley, MD of Anglia Business Solutions. The objective is to reduce the cost to serve by making your data available online and having customers and partners get it themselves. The first order of business is to get a handle on your internal systems. How well structured is your data? If your internal systems are good, then categorising and sharing some of your data will be straightforward. Get it wrong and you could end up giving out the wrong prices or information to the wrong people.

Top of page

Secure gateways

As most company to company communication takes place over the public internet, the gateways between the internet and a company's private internal network are a major security concern. They are vulnerable to 'denial of service' attacks, in which criminals try to overwhelm them with spurious traffic. Companies have already been held to ransom by this kind of attack. Another risk is hacker penetration. Keeping gateway computers patched and monitoring them carefully is important. Intrusion detection or prevention systems can help, if set up correctly. All of this takes time and effort: "There's an overhead there. It's not free from a management point of view," says David Beesley, a security expert from Network Defence.

Top of page

Unauthorised access

Managers need to be aware of the risks of 'SQL injection'. This risk occurs when a badly designed and poorly tested web-based front end is built onto a SQL database. It can allow hackers to gain full access to the database itself through the website. "The horror of this is that you can have lots of firewalls and so on, but because of something a web developer has done you can have a hacker gain access to confidential information without you even knowing about it," says Beesley. Managers need to make sure that security is written into the specification of any new system, and that vulnerabilities like SQL injection are tested for before any system goes live.

As Microsoft and other companies commoditise the software needed for online commerce, these issues will affect more and more companies. Digitally integrated supply chains will reach down into small businesses. As they wake up to the efficiency gains of business collaboration, companies must also wake up to the security risks and address them.

About the author Matthew Stibbe is a professional writer, specialising in business and technology. He is the founder and Writer-in-chief of Articulate Marketing and a part-time director of a property management company in West London. He was editor-at-large at Real Business and is still a regular contributor to Director, Wired and other leading magazines.

Top of page