Back to stories

Partners and Suppliers Are a Company’s Biggest Security Risks

December 4, 2013

One of my favorite episodes of Freakonomics Radio concerns a diner at a Manhattan location of the organic restaurant chain Le Pain Quotidien, who finds a deceased field mouse in her salad. As often happens on Freakonomics, this revolting tale begets an interesting discussion of economics: From the function of “anchoring” in influencing pricing behavior to the challenge of scaling small businesses to a national or global scale.

In the case of Le Pain Quotidien, the incident was a lesson in risk management for the company, which had grown quickly from its first store in Belgium to a global chain with 150 locations in 16 countries. As it happens, dead bugs and rodents finding their way from the organic farm to a customer’s plate was an unfortunate, but acceptable risk for the restaurant’s management.

For me, the story nicely illustrates an important lesson of 21st century business. Namely: The actions of your suppliers and business partners (even small ones) can have an outsized influence on your company’s reputation and the bottom line.

Today, companies operating in many industries face the prospect of customers having a (virtual) “mouse in the salad” moment every day. The mouse comes in the form of customer data loss or theft, hacking, DDoS attacks and other online ills. As with Le Pain Quotidien, the source of the risk often resides outside the organization that is most affected. It can be found in the complex integration of enterprise networks and data with those of business partners, suppliers, and SaaS application providers.

One example: In March of this year, Bank of America (BAC) confirmed that a hack of third-party security firm TEKsystems was the source of a leak of internal e-mails that documented the company’s monitoring of hacktivist groups, including Anonymous. (This after a similar 2011 Anonymous attack on another BoA contractor, cyber-forensics firm HB Gary.)

Then, in August, an Australia-based domain name registrar used by the New York Times and Twitter (TWTR), among others, had visitors to those web properties redirected to propaganda pages for the Syrian Electronic Army, a hacktivist group.

These incidents suggest that we inhabit a business environment in which data has become “liquid”—for lack of a better term. It flows within the boundaries marked by your corporate firewall. But it also permeates that boundary in ways that are difficult to predict or control.

Mobile devices put access to enterprise resources in our pocket and, therefore, into the back seat of a taxicab. Contractors use VPNs to access critical, backend systems from dodgy home networks. Enterprise cloud applications, like (CRM) and Workday (WDAY), siphon sensitive information from company- managed IT assets to cloud-based servers that we do not control.

If networks 10 or 15 years ago were “gated communities” in which access was strictly controlled, you can think of today’s networks like suburban shopping malls, with many points of entrance and egress for individuals of all stripes.

Today, enterprises can choose from a long list of sophisticated detection and monitoring tools. Still, most do not have any idea what normal network behavior looks like, nor do they have a way to easily measure the security and integrity of their infrastructure partners, suppliers and business partners.

To extend my earlier analogy: The mall is up and running, but the mall owner has no idea who is coming and going, what stores they visit or even how they enter and leave. As we’ve seen, that myopia within organizations allows so-called “APT” attacks to linger, and fester.

As an investor, I am working with entrepreneurs and start-up firms, like BitSight Technologies, that recognize the urgent need for tools that can make sense of the data generated by enterprises and the risk inherent in the complex web of business partners, contractors, and suppliers that modern organizations rely on.

In the months and years ahead, these tools will allow enterprises to shift business from high-risk to lower-risk suppliers, shut down links between their IT environment and those of a compromised business partner and show the door to misbehaving contractors. To use a biblical analogy: Predicting rain doesn’t count for much. Building arks does.