YOU MAY NOT KNOW IT, but you\u2019re leaving millions on the table when it comes to business-to-business e-commerce.In this special two-part report, we show you how to hurdle the two main obstacles that stand between you and all that money: the security of your external connections and a lack of online trading partners. In How to Practice Safe B2B, IT and security leaders spell out their security requirements for their online partners and explain how they make sure their partners comply.In How to Grow Your B2B Network (Page 60), companies reveal the techniques they\u2019re using to attract new partners, thereby maximizing their B2B savings and revenue.The money is there. Go for it.In summer 2000, Visa unveiled its "Digital Dozen," a list of security requirements calling for firewalls, encryption, testing and access policies that its service providers and merchants must have as a condition of doing business with Visa. That\u2019s right?if a bank or merchant can\u2019t play by these rules, they don\u2019t play with Visa.Visa\u2019s merchants and service providers must annually demonstrate compliance, through an online self-assessment for Mom-and-Pop shops and extensive third-party audits for merchants or service providers handling large volumes of cardholder information. And if a merchant refuses to comply, Visa can fine the bank that processes that store\u2019s transactions. Then it\u2019s up to the bank to punish the merchants. "Eventually, if we don\u2019t have proof from an independent third party that you qualify with our requirements, we really don\u2019t want you to take the card," says John Shaughnessy, Visa USA\u2019s senior vice president of risk management in Tampa, Fla.Not everybody is as deadly serious about B2B e-commerce partner security as is Visa. In the stampede to e-commerce, most companies have disregarded the security of their partners and their role in exerting pressure to make sure they\u2019re safe. "My sense is that B2B security is not a consideration for many organizations," says James Wade, chief security officer for the Federal Reserve System and president of Framingham, Mass.-based ISC2, a training and professional certification organization for IT security professionals. Many B2B relationships spawn from manufacturing, marketing or some other group within an organization without involving IT security. That may or may not be the case in your company, but regardless, it\u2019s your responsibility to see to the security credentials of your B2B partners. "The security of your B2B partner is as important as their creditworthiness," says Paul Gaffney, CIO of Staples, the office-products retailer based in Framingham, Mass.Indeed, the risks of working with a nonsecure partner are frightening. A partner that fails to secure its own systems could become a launch pad for attacks into your system. Someone could tamper with data in a supplier\u2019s system, such as switching a digit in a product SKU number. Or a virus could disable your partner\u2019s systems. Either way, your just-in-time supply chain operations will grind to a halt. Worst of all, you might incur legal liability if your partner exposes your customers\u2019 data. "Your customer will ask, \u2019Why didn\u2019t you investigate this partner?\u2019 That customer can sue you," says Dorsey Morrow, general counsel for ISC2. Of course, it\u2019s not just about the risks. Safe B2B e-commerce carries huge business benefits too. In fact, companies can market the security of their B2B programs to enhance customer confidence and thus attract additional partners. Safer B2B practices also protect against glitches and outages, preserving the critical just-in-time nature of e-commerce, which keeps the revenue flowing.With so much to lose and to gain, every company should establish a set of security expectations for its B2B partners, drawing from the list that follows. In addition, take heed of the strategies to counter resistance and enforce compliance since you will be dealing with companies that aren\u2019t under your control. Requirements and Expectations \nA Documented Security Policy Security experts say every company should demand to see its B2B partners\u2019 written security policy. Lee Holcomb, CIO of NASA in Washington, D.C., says that is something he\u2019s strict about because he uses online connections to post competition opportunities and pay aerospace vendors and contractors. He expects policies to include firewall maintenance and patch-service provisions and to provide for vulnerability assessment and intrusion detection, as well as a training program for systems administrators who would have access to sensitive information. "We\u2019re dealing with astronauts or pilots in space," says Holcomb. "Security and safety are synonymous."The Federal Reserve typically asks for a written description of a partner\u2019s security organization, including its rules and responsibilities and where the security function reports. "If security is buried in the technical bowels of an organization, it\u2019s probably not having significant influence on senior management," Wade says.The policy should also identify individuals managing the partner\u2019s security program, adds Harry DeMaio, a director in Deloitte & Touche\u2019s enterprise risk practice in New York City. Secure Application Development PracticesIn most B2B relationships, partners grant limited authority to pass into each other\u2019s systems and access critical information. If your partner is using proprietary applications that touch your system, security must be built into that application. Your partner must show you how security is incorporated into its application design, development and deployment plans, says DeMaio. Look for access and authorization controls built into applications, path isolation to ensure that the app\u2019s user goes only where he\u2019s allowed to go, and logging and reconciliation to provide a record of where any user has been?matching up with what he\u2019s done. "Make sure the application doesn\u2019t turn off or ignore other security controls, like encryption, associated with the [B2B] system," adds DeMaio.Access Control and User AuthenticationLax access controls within your partner\u2019s systems will give you an Excedrin headache. Ray Bedard, a partner in PricewaterhouseCoopers\u2019 supply chain practice in Virginia Beach, Va., tells of a company he worked with that failed to terminate a departing employee\u2019s access to its B2B applications. Before the employee left, he went into the system and ordered a bunch of goods from an online partner. The goods arrived and nobody could figure out what they were doing there. It took several hundred man-hours for the parties to resolve the mess.To avoid that sort of tampering, companies should require partners to maintain strong, active password programs. Measures should include requirements to change passwords frequently, monitoring and logging of password usage, tools to detect easily guessed passwords and a central authority to set access policies. Wade adds that you should forbid your partner to set up departmental passwords if the partner accesses your systems through its network. "This is always a sticking point in negotiations," he says. "The partner always wants to use some easier form" of password protection.For sensitive information, companies should require higher-level access and authorization tools. Ramana Palepu, CTO of the Worldwide Retail Exchange in Alexandria, Va., says his members require public-key infrastructure authentication technology, and will expect digital signatures for financial settlement and payment services the exchange may offer in the future. But for less sensitive transactions, such as purchase orders, auctions and item tracking, strong password and user-name controls suffice.Encryption Experts and practitioners say companies should require their partners to use encryption for any sensitive information?customer data, marketing strategy, labor relations and unreleased financials?transmitted over the Internet. The Federal Reserve is constantly dealing with financial information, so Wade requires anything transmitted between the Fed and its financial and banking partners to be properly secured. At J.P. Morgan Treasury Services in New York City, Joe Calaceto, who heads up security as vice president and technical director, requires varying levels of encryption of customer information such as account numbers and beneficiary names and addresses. Gaffney says Staples requires its B2B partners to encrypt all Internet transmissions, but he doesn\u2019t require encryption for transmissions sent over private networks. "That would be overkill, since one of the reasons we\u2019re paying a premium for a private connection is for its security," he says.Response Plans DeMaio says the response plan is where to expect resistance from partners. Most companies focus on perimeter defense because it\u2019s sexy, but once they think nobody can get in, detailed response plans seem like overkill. That is a mistake, and you shouldn\u2019t let your partners get away with it, says DeMaio. "Too many organizations will simply fade and say, \u2019OK, you don\u2019t have to do it.\u2019"DeMaio adds that partners should provide a detailed description of their attack response plan?and it should be designed around specific systems, not generic boilerplate from books and manuals. Also, demand that partners notify you of security incidents within the hour. Charles Le Grand, director of technology practices at the Institute of Internal Auditors in Altamonte Springs, Fla., adds that you should ask to see your partners\u2019 criteria for notifying authorities and how they\u2019re monitoring for vulnerabilities. For example, if they operate in an NT environment, urge them to keep up with NT BugTrack, he says. Segmented Architectures Some security analysts advocate "segmenting" enterprise architectures into smaller networks, all behind separate firewalls. That way, if one part of the network is compromised, the rest remains safe. Bethesda, Md.-based defense contractor Lockheed-Martin does that?and looks for it in its partners too, says A. Padgett Peterson, Lockheed\u2019s senior security analyst. (For more on Lockheed-Martin\u2019s strict security parameters, see "Maximum Protection," at www.cio.com\/printlinks.) Background Checks If it\u2019s standard practice in your own organization to conduct background checks on employees with access to sensitive data, it\u2019s reasonable to request the same for partners\u2019 employees who also have access. Wade declined to say whether he requires background checks of the Fed\u2019s partners, but he\u2019s required it while working at other companies. By having business representatives, not just IT people, involved in the negotiations, you\u2019re more likely to get your partner to agree to background checks. "It\u2019s difficult for many IT people to appreciate the risks involved in the relationship being established," he says.Compliance Audits Experts and practitioners agree the best way to validate compliance is through periodic audits, either by your own auditors or an independent third-party security company, as Visa requires. Typically the party requesting the audit will foot the bill.The most security-conscious organizations require their partners to submit to penetration testing on a regular or random basis. But Le Grand says that is an extreme measure, because there is potential to bring a partner\u2019s system down. "If you run a denial-of-service attack just to see how they recover, the recovery will be expensive," he says. "So you\u2019d better not do this haphazardly and without agreeing on your right to do this."Inducements and Enforcements \nThe Carrot If you work for a powerful company with partners that absolutely depend on your relationship, like Visa, you have the power to make demands. Unfortunately, most companies don\u2019t fit into that category. Instead, they must come up with carrots to entice partners to agree to their terms and incorporate them into contracts. For example, if your partner objects to security requirements because of cost, offer to share some of the cost. A partner "might balk at an extra few hundred dollars to pay for the setup of an extra server," says Calaceto. "In some cases we\u2019ll absorb it because we want a more secure system."Or you can offer to include your partners in your security software licensing agreements to save them a few bucks, says Le Grand. Here Bedard advocates a "matching fund," where a company offers to kick in a dollar for every dollar its partner spends complying with the requirements.Finally, Gaffney suggests offering discounts or preferred-seller status to partners that accept your requirements. "If a company associates economic value [with its requirements], it needs to be part of the negotiation," he says.The Stick Enforcement is an issue that companies should plan for in advance, with the hope of never having to exercise the stipulated penalties. The best way to enforce security requirements is to establish them in your B2B engagement contract. That provides a specifically delineated recourse should the partner fail to implement sound security measures. According to ISC2\u2019s Morrow, the ideal recourse against a lax partner is indemnification?an agreement that if you get sued for damage caused by your partner\u2019s breach, the partner will pay you back the amount of the judgment. Of course, that requires proving that your partner was truly responsible.On a case-by-case basis, Staples will provide in its B2B contracts that the partner will indemnify Staples for damage or legal liability stemming from the partner\u2019s security lapses. But Gaffney says such a provision can be tough to secure. "The bigger companies?particularly larger software providers?tend to stick hard to holding back on indemnification," says Gaffney, adding that smaller companies might agree to indemnification in return for more favorable pricing or product distribution. Another form of recourse is a liquidated damages clause?a contract provision stating that a partner that doesn\u2019t live up to its security obligations (resulting in contract cancellation) will pay the other partner a set amount of money. Finally, if a partner violates the contract by, say, failing the audit, you have the right to terminate it. But think twice about applying these sticks just because your partner has fallen short on an audit or failed to meet a particular requirement, especially if you haven\u2019t been harmed as a result. The ultimate objective of your B2B engagement is a productive, profitable relationship. The minute you seek to terminate the contract or collect fines, you\u2019ve likely destroyed the relationship. You\u2019re much better off working with the partner to remedy its lapses, ensuring a safer and more profitable partnership for the future.