Thursday, June 13, 2013


Vendor security

Email Morphs into Corporate Espionage


An email just dropped into my electronic in-box with the subject “Should You Archive Email to the Cloud?

I suppose it’s a good question and I can think of many reasons to keep my emails “closer to home.”

But the query did trigger an off-the-wall thought, my forte’ it seems.

What about vendor security – all vendors, not just in the cloud.

When a person or organization signs up with a vendor, the vendor asks for, usually justifiably, a great deal of information. Granted, most of the information can be acquired from public resources, public records. But maybe not all, and some of the “not all” should be, at a minimum, “confidential.”

On a personal level, it seems almost everyone wants a client’s Social Security number which, as it happens, never was intended for identification beyond the needs of the Social Security Administration and the IRS. (The U.S. government is responsible for much of the abuse; a quick review of the Social Security timeline at bears this out.)

Organizations with smart people at the helm will ask prospective vendors if they have plans in place to assure that the vendor can meet Service Level Agreements (SLAs) “no matter what.”

That’s not enough.

Organizations need to know that information shared with vendors is safe, secure.

Consider the world of corporate espionage. If the competition knows a firm is ordering ZYX parts and ZXY is not used in any current products, the competition can rightly suspect the firm is bringing out a new product.

Perhaps the competition learns that a regular order for 100,000 #22 threaded fasteners has been doubled. Suggestion: A bigger production run that could translate into lowered prices to increase market share.

A reduction in a previously standard order could indicate the organization is winding down production of a certain product.

Corporate espionage, as with all other espionage “disciplines” most often finds success on connecting the dots of generally available, or loosely held, information.

An organization need not be part of what Dwight Eisenhower termed the “military-industrial complex” to have sensitive information a competitor might covet. Coca-Cola still locks up its formula and GM never willingly lets Ford get a look at its bound-for-the-production line drawings. Would Macy’s tell Kmart when it plans a sale of merchandise that sits on both stores shelves?

Checking on a vendor’s security – how it handles client information – may seem “out of scope” for a business continuity planner, but it IS very much “in scope” for an enterprise risk management practitioner, and a lack of vendor information security – both electronic and paper – should concern the vendor’s clients.

Consider it.

If I wrote it, you may quote it.

No comments: