Corporate security threats many times come from customers, business partners

80 to 90 per cent of violations are inbound

While a company can do everything possible for its own network security, in the age of e-commerce and online banking that's not enough. Increasingly, IT managers have to ask, Is the guy we do business with the loose wire in security?

The answer may be "yes" because the customer, client and trading partner isn't meeting expectations about secure data-sharing, such as using encryption to shield sensitive information. And when their PCs are hijacked by cybercrooks or their employees transmit sensitive data in a way that violates regulatory statutes, suddenly it's your company's problem, too.

In healthcare, data related to personal health information (PHI) and personally identifiable information (PII) which is transmitted to business partners has to be kept confidential through encryption, notes Richard DeRoche, corporate director of information technology at for Lutheran Life Communities. The healthcare provider, with eight locations and 1,600 employees, provides older adults with retirement facilities, home care and nursing services in Illinois, Indiana and Florida.

But when Lutheran Life Communities installed a data-loss prevention device -- in this case, one from Palisade Systems -- to make sure PHI and PII data transmissions were sent correctly, the big shock was the discovery that it was business partners that had issues.

"85% to 90% of the violations are inbound," says DeRoche, noting that while employees at Lutheran Life Communities were, by and large, following instructions about encrypting sensitive data, the healthcare provider's business partners and even a state agency were the ones making the most mistakes in that regard.

That ignited debate in the legal division at Lutheran Life Communities as to whether the company should even be accepting email that appears to violate rules such as HIPAA and the HITECH Act, regulations that carry punishment and fines for violations.

DeRoche says the company has decided to start sending warning messages back to the originators of email that violates its security and privacy policy, saying the company can't willingly accept the messages in their current form. He notes there's a need to establish more business-partner agreements where these type of data-protection issues are spelled out in advance.

Lutheran Life Communities, which like many firms has not found it easy to establish a way to get myriad business partners using encryption, set up Microsoft SharePoint as an external portal intended for business partners to share confidential data with the company. It's a password- and encryption-based system that works but is a tad "awkward" for end users, DeRoche notes.

Banking is another industry where mistakes made by others have an unwanted impact.

Cybercriminals are proving adept in tricking both retail and corporate online banking customers, sometimes carrying out elaborate scams to lure victims to fake phishing sites to steal account information or even hijacking PCs with Trojan software to make fraudulent transactions through Automated Clearinghouse (ACH) services.

The criminals can remotely initiate large-dollar payments right through the victim's desktop computer, and these unauthorized payments end up in the bank accounts of the money mules helping them. Corporate bank customers, when they discover what happened, have to plead their case with the banks, and under the law, corporate customers don't have the same sort of fraud protections for lost amounts in this regard as consumers in online banking.

Some banks are moving more forcefully to try to prevent these types of attacks on their customers and the banking system.

For example, Fairfield County Bank, based in Connecticut, has decided in order to prevent attacks, it will require its corporate ACH banking customers -- about 80 companies with several hundred end users -- to make use of a specific security protection for ACH payments.

All of the bank's customers will get a IronKey Trusted Access for Banking token, which is a secure USB token that can be managed via the IronKey cloud-based service. The handheld IronKey USB device, plugged into a computer, aims to protect against keylogging and browser-based attacks and malware by essentially creating a controlled online work environment separate from the user's operating system.

"It will be required," says Christina Bodine, assistant vice president, cash-management office and business e-banking, at Fairfield County Bank.

She says the mandatory security device will help protect the customer and differentiate the bank's services. Like other banks, Fairfield County Bank recommends bank customers use dedicated machines for funds transfer, but doesn't require it.

Another financial institution, Bank of North Carolina, is also offering the IronKey USB token -- complete with the bank's logo on it -- to customers, says Debbie Myers, BNC senior vice president of e-banking and business services manager. But the bank, which is charging a monthly service fee for it, is not planning to make use of IronKey mandatory.

"We're providing it as an option at this time to our customers," says Myers, adding customers are still learning about it and the bank is reluctant to make it a requirement.

Join the PC World newsletter!

Error: Please check your email address.

Tags security threatssecurityanti-malwaremalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?