Indeed, the risks of working with a nonsecure partner are frightening. A partner that fails to secure its own systems could become a launch pad for attacks into your system. Someone could tamper with data in a supplier’s system, such as switching a digit in a product SKU number. Or a virus could disable your partner’s systems. Either way, your just-in-time supply chain operations will grind to a halt. Worst of all, you might incur legal liability if your partner exposes your customers’ data. "Your customer will ask, ’Why didn’t you investigate this partner?’ That customer can sue you," says Dorsey Morrow, general counsel for ISC2.

Of course, it’s not just about the risks. Safe B2B e-commerce carries huge business benefits too. In fact, companies can market the security of their B2B programs to enhance customer confidence and thus attract additional partners. Safer B2B practices also protect against glitches and outages, preserving the critical just-in-time nature of e-commerce, which keeps the revenue flowing.

With so much to lose and to gain, every company should establish a set of security expectations for its B2B partners, drawing from the list that follows. In addition, take heed of the strategies to counter resistance and enforce compliance since you will be dealing with companies that aren’t under your control.

Requirements and Expectations
A Documented Security Policy

Security experts say every company should demand to see its B2B partners’ written security policy. Lee Holcomb, CIO of NASA in Washington, D.C., says that is something he’s strict about because he uses online connections to post competition opportunities and pay aerospace vendors and contractors. He expects policies to include firewall maintenance and patch-service provisions and to provide for vulnerability assessment and intrusion detection, as well as a training program for systems administrators who would have access to sensitive information. "We’re dealing with astronauts or pilots in space," says Holcomb. "Security and safety are synonymous."

The Federal Reserve typically asks for a written description of a partner’s security organization, including its rules and responsibilities and where the security function reports. "If security is buried in the technical bowels of an organization, it’s probably not having significant influence on senior management," Wade says.

The policy should also identify individuals managing the partner’s security program, adds Harry DeMaio, a director in Deloitte & Touche’s enterprise risk practice in New York City.

Secure Application Development Practices

In most B2B relationships, partners grant limited authority to pass into each other’s systems and access critical information. If your partner is using proprietary applications that touch your system, security must be built into that application. Your partner must show you how security is incorporated into its application design, development and deployment plans, says DeMaio. Look for access and authorization controls built into applications, path isolation to ensure that the app’s user goes only where he’s allowed to go, and logging and reconciliation to provide a record of where any user has been?matching up with what he’s done. "Make sure the application doesn’t turn off or ignore other security controls, like encryption, associated with the [B2B] system," adds DeMaio.