Cover story: Coming up roses

If the online marketplace were a family, 1-800-flowers.com could be considered a patriarch. In 1992, the flower distribution business joined AOL as the internet service provider's first merchant. Three years later, the company added a ".com" to its name and became one of the web's earliest and most recognizable success stories.

"My 14-year-old didn't even realize that we actually started as an 800 number," says Enzo Micali, senior vice president of information technology and CIO of 1-800-flowers.com, which has risen in 30 years from a 700-square-foot retail shop in Manhattan to an $800 million-a-year online behemoth. "We like to say that we were a company waiting for the internet to happen."

So while the Westbury, N.Y.-based public company certainly has scored high marks in cyberspace visibility, most customers have not realized the dedicated efforts of the business to stay defended against external and internal security threats. The company has had its work cut out for it. In acquiring nine catalog/online retail brands located across the country over the past eight years, 1-800-flowers.com has required strong planning to remain safe.

The merger-and-acquisition process is not the only time organizations must be mindful of how another company's security policies and weaknesses can affect them. This scenario also arises during outsourcing arrangements, which "have become a widespread phenomenon," according to Gartner. However, the analyst firm's research indicates that some global sourcing initiatives are "being scaled back or even canceled" over security and privacy concerns.

"Once things go outside your door, you have less control, by definition, of how they're used," says Stephen Scharf, a security director at a leading financial service who also serves on the Information Systems Security Association (ISSA) board of directors as the vice president of communications. "There's the greater percentage that something malicious could happen."

The same goes for organizations inviting something inside their door.

1-800-flowers.com has purchased mostly small organizations — between 50 and 100 employees — that had been willing to accept a certain level of security risk prior to being acquired, says Micali. Specifically, employee awareness training was minimal and anti-virus software was not installed on every PC.

"They had the basics," recalls Ira Sheinwald, vice president of infrastructure services at 1-800-flowers.com. "But the true meat and potatoes of the security world were not in place. None of them had a true intrusion detection system. Not one of them."

Micali says that when the multi-channel retailer is considering purchasing another company, he and Sheinwald consult their "playbook." It guides the IT team through the due diligence process, which includes analyzing the candidate's network for single points of failure, capacity constraints and vulnerabilities — and then correcting whatever problems exist before the network is integrated and unified. IT leaders also visit the companies' physical sites to get a close-up look.

"IT security is baked into everything we do," says Micali, who joined the company in December 2000, after working as the CTO at InsLogic, a recently sold start-up, and as a technology architect for Chase Manhattan Bank from 1989 to 1998. "They [subsidiaries] may be the weakest link on our chain. Exposure on their part, by association, becomes exposure on our part."

"The first thing you want to do during a merger and acquisition is make everyone feel like they're on the same team," he adds. "The fact that I can get to the same data that maybe my colleague in Ohio can, is important."

Outsourcing is a different concept altogether, but it inherits similar risks to mergers and acquisitions. Simply put, outsourcing helps cut costs and improve efficiency within organizations. The National Association of Software and Service Companies (Nasscom), India's leading trade association, reported that offshore outsourcing grew by 33 percent over the past year, reaching a new high of $13.3 billion.

Steve Betensky, partner in the New York-based law firm White & Case, says companies often tap into a more skilled workforce when they outsource IT functions. "In many cases, people do it to get access to a new pool of employee talent," says Betensky, who heads the firm's global outsourcing information technology practice, charged with hashing out agreements between organizations and their vendors.

Utilizing partners for other business functions, such as call centers, also is common. 1-800-flowers.com has dozens of outsourced call centers across the nation. However, whenever outsourcing occurs, there is a higher chance something malicious might occur, experts say.

"One major concern is that you have less direct control over what's going on with your customer's data," says David Bender, leader of White & Case's global privacy practice. "When it goes to another shop, whether it's across the border or not, it's in a third-party control. You have to monitor, more so than you would if it was a task in your own shop."

One need not look far for examples. In June, hotels.com announced that an unencrypted laptop containing the names, addresses and credit card numbers of 243,000 customers was stolen from the car of an Ernst & Young employee.

In this instance, hotels.com supplied Ernst & Young with confidential customer data so the accounting firm could conduct an audit. Company officials do not believe the thieves were targeting the computer, nor do they believe any of the information was misused.

When the incident came to light in June, though, hotels.com's senior compliance officer, Cathy Bump, sounded noticeably upset over the breach. "Obviously there was the expectation that the data would be kept confidential and secure," Bump told SC Magazine at the time, referring to an agreement between hotels.com and Ernst & Young. "Obviously that did not occur." Bump declined to be interviewed again for this story.

With at least 23 states enforcing data breach notification laws, customers are becoming more and more likely to learn about such incidents — and they typically do not react kindly, studies show. According to the Ponemon Institute's survey of 400 American adults who received notice that their personal information was missing or was acquired by unauthorized parties, 42 percent planned to take their business elsewhere.

Most disturbing to a company that suffers a breach: Customers will not make the distinction between a partner's blunder and the company with which customers directly do business, experts contend.

"At the end of the day, your customer is going to hold you accountable," Scharf says. "Making a comment that, ‘It wasn't me, it was my vendor,' just isn't going to fly. They're going to think with their wallets."

When a company's critical data is in the hands of a service provider, the hope is that vendor has security controls "at least matching" what the organization is running internally, says Arabella Hallawell, a Gartner analyst who specializes in outsourcing.

But the only way to assure such safeguards is through well-crafted service-level agreements (SLA), experts say.

"Most organizations, at least in the past, haven't viewed security as important evaluation criteria," Hallawell says. "I think the onus is very much on the company to negotiate and ask. If you don't ask, you'll get very vague security controls in place."

Caleb Sima, co-founder and CTO of web application security firm SPI Dynamics, says certain application developers, particularly those in India, need motivation to produce secure products.

"You have to tell them exactly what to do," he says. "Otherwise, they won't do it, and you'll have a bug in your code. They just don't see [security] as a priority."

At a minimum, Hallawell says in a June research report that companies should negotiate SLAs to include provisions on patch and identity management, breach notification and business continuity. But better yet, she says, there should be clauses on personnel training, employee screening, security monitoring, remote use, encryption, subcontractors, employee monitoring, legal dispute resolution, and intellectual property and trade secret protection.

"But companies must ask," Hallawell says in the report. "The majority of companies we speak to fail to ask these questions, or fail to negotiate these clauses with their providers."

Even if organizations feel comfortable with their vendors' security practices, they must also ensure that any subcontractors also have strict controls in place.

"The outsourced vendor may subcontract work out to another vendor," says Jody Westby, CEO of Global Cyber Risk, a Washington, D.C. consulting firm. "Your vendor may have other clients that are rich targets for hackers and economic espionage that can make your data vulnerable, and you're not even aware of that."

Westby, whose firm focuses on outsourcing advisory services, says organizations must hammer out comprehensive SLAs, although attorneys typically favor cost savings over security. Often, deals are constructed with the end-result in mind, without examining the "whole risk picture," she says.

"Attorneys are famous for trying to drive an agreement to the most onerous terms and the lowest price for the client," she says. "In the outsourcing environment, that could be the kiss of death."

Hallawell, in her paper, recommends companies "use legal counsel that understands the local laws of the jurisdiction the provider will operate within, and that specializes in international law and international arbitration law."

While SLAs are crucial to any outsourcing arrangement, organizations must also realize they are compelled to comply with certain requirements through such regulations as Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act.

"Regulators don't let you off the hook," says attorney Betensky. "If you're governed by SEC regulations, you need to make sure your regulations are complied with by that outsourcer. I think any lawyer would assume, if they're required in the U.S., then they're required to comply when those same systems are being accessed or maintained overseas."

SLAs also should include a clause that grants organizations the right to conduct a vendor assessment, experts say.

Scharf says budgets will not allow organizations to conduct audits on every vendor they use. But assessments are a must for partners that are provided access to confidential data, such as payroll processors, application developers and external support vendors.

He recommends organizations review critical vendors on an annual basis, focusing on their security controls and financial stability. And just as organizations need to effectively review service providers, parent companies must do the same for subsidiaries operating within their network.

Micali says 1-800-flowers.com conducts "full-blown audits" of its subsidiaries — which include Plow & Hearth home and garden products and Cheryl&Co. gourmet desserts — once or twice a year. "You can't plug something into the network without the infrastructure team reviewing the security attributes of the device you're plugging in," he says.

Phil Neray, vice president at database security firm Guardium, says organizations can deploy tools and enact polices to monitor third-party vendors to ensure they are playing fair.

"There are cost-effective, non-disruptive technologies that you can implement to easily take care of these issues," he says. "They don't require consultants. They just plug into your network and monitor activity."

For example, the appliances observe what data is being accessed and what changes are being made, and they flag any unauthorized use. Not only do they help preserve the integrity of a company's critical data, but they also provide a "verifiable audit trail" for compliance.

1-800-flowers.com deploys a monitoring device from Cupertino, Calif.-based Securify. The appliance offers visibility into the security posture and baseline controls of other firms, while also observing user behavior, says Buck French, CEO of Securify. Called SecurVantage, the solution sits passively to create a "choke point" between two networks, ensuring no rogue traffic passes through.

He says companies purchasing other entities must be cognizant of certain issues.

"First of all, you don't know what their security best practices have been or how they've been implemented," French says. "There's also a lot of change that goes on during a merger and acquisition, both infrastructure-wise and people-wise."

Neray also suggests that organizations combine these tools with certain policies — such as restricting partners from reaching sensitive data at suspicious times, and limiting how they can access that information. Scharf adds that organizations should only provide their vendors with the data needed to complete their required task.

1-800-flowers.com follows this advice when it transfers orders over a peer-to-peer exchange to its more than 8,000 member florists, Micali says. The company only supplies members with information they need to process orders, such as the type of merchandise and the recipient's name and address, Micali says. "There's no credit card or billing information. Only information necessary to fulfill that order is passed along, as we do with all of our other systems. We don't pass any data not critical to that transaction. We deal with a lot of third parties."

1-800-flowers.com, meanwhile, requires all of its vendors to access the network through virtual private networks (VPNs), which highlights the company's "concept of centralization," says Sheinwald.

At its outsourced call centers, 1-800-flowers.com requires employees to use thin clients, which rely on the company's central server in New York for processing activities.

"There's very little security exposure," Micali says. "There's no data on their environment."

We welcome your comments. Email us at [email protected].

DIFFICULT TO RESOLVE:

Outsourcing disputes