Evaluating the Security Risk Between Business-to-Business and Business-to-Consumer

Today's security measures are not keeping up with today's security risks.

Anyone who tells you that your IT environment is 100 percent secure, is either a liar, a bad salesperson or uninformed. The fact that no one can guarantee total security is the number one reason why business-to-business (B2B) or business-to-consumer (B2C) has not grown more rapidly.

This is not to say that progress has not been made. In the areas of firewalls, virus software, authentication and time stamping, to name a few, substantial advances have been made. Not only is it harder for someone to get illegally into a system, it is also easier for a perpetrator to be investigated and caught. But when billions of dollars are at stake, when liability is always looming over your shoulders, no one can fault a business for wanting to protect itself, as much as possible, from potential breaches into the company's infrastructure. So, even though companies recognize the efficiency of conducting business electronically, it should be no surprise that most business is still paper based. Just consider that about 5 percent to 6 percent of a typical Internet retailer's transactions are fraudulent, compared to less than half of one percent for traditional retailers (according to Cybersource).

When comparing security issues between B2B and B2C, both encounter risks. Are the risks greater for one business model than the other? I would ask the question, "Does it make a difference to a company whether they lose $1 million in one transaction or in a million transactions?" It has still lost a million dollars.

The main security risk difference between B2B and B2C is a matter of quantity versus quantities. In B2B the traffic volume is relatively small but the transaction amounts are usually fairly large. In B2C the traffic volume is extremely high and the transactions are small. The second major difference between B2B and B2C is that the internal threat is higher for B2B and the external threat is higher for B2C. I've read that in-house security breaches account from anywhere from 70 percent to 90 percent of all attacks on corporate computer networks.

The real security risk differences between B2B and B2C, however, are completely dependent on the type and size of the company, and the kinds of transactions that are taking place on the web. In the case of a bank, it is possible for an embezzler to withdraw a tiny percent from a high number of accounts, and within a short amount of time accumulate millions of dollars. The major U.S. car manufacturers have set up an elaborate B2B Internet exchange to purchase car components. If someone were to hack just one transaction that is worth several million dollars, the ramifications would be farther-reaching than the dollar amount of the transaction. It could be an order for brake drums. They don't arrive at the factory and production is disrupted, causing a chain reaction that results in additional dollar losses, not to mention the cost in customer loyalty because the cars do not show up at the dealership when promised.

Whether you are a big, medium or small B2B or B2C, risk is in the eyes of the beholder. A security specialist is likely to pitch a holistic plan for security. This is a wise approach. In meeting security requirements, the enterprise should be thought of as a whole. So the correct solution should comprehensively address security across all layers of the computing infrastructure. And this approach will inevitably lead a company to make choices based on their budgetary resources. Do I spend more on the firewall and less on the authentication? The challenge for companies that provide security measures for either B2B or B2C is to demonstrate the potential for risk and how their company can offer a secure solution.

It has been said a million times, but it's worth repeating: Security is made up a number of interconnected elements, and it's only as strong as the weakest link. For that reason, my company, which focuses on the element of time, is only concerned with creating the most secure time synchronization and time stamping solutions for the IT environment. Our job is to educate B2B and B2C companies on their vulnerability in terms of time and what the dangers are if their time synchronization is off or if there is no secure time stamping within their environment. We don't do this at the expense of any other element. We just try to make them see that the secure "when" of a transaction is just as important as the secure "who."

One example of how the "when" is just as important as the "who" occurs everyday on the Internet with electronic stock transactions. The National Association of Securities Dealers (NASD) recently noted some significant negative time differences between the time order entry firms report their routes of orders and the time that market makers report as the receipt time of those orders. For example, an order entry firm reports that it has routed an order at 10:30:02 to a market maker. This market maker records the receipt of the order at 10:29:32 (i.e., a full 30 seconds earlier). This calls into question whether one or both firms may not be synchronizing their business clocks, and more importantly it calls into question their integrity and consumer confidence.

In today's world of stock volatility, a few minutes could mean losing or gaining thousands of dollars. The integrity and auditability of electronic actions needs to be ensured and all IT components globally time-synchronized . A solution with a secure time stamp is needed with an evidentiary trail to substantiate the when of an electronic transaction, protecting customers from internal or external order or audit manipulation, and ensuring that computer logs show the correct sequence of events. A Stratum One time server allows systems to be synchronized within the 10-millisecond range relative to UTC (universal coordinated time). Additionally, there are a number of more secure ways to get time. This includes the universally available and acceptable GPS system, a dial up option to the National Institute of Standards and Technology (NIST), or the use of a CDMA cell phone signal.

More and more business will be conducted on the Internet. It just makes good business sense. It's more cost-effective than an extensive internal network. Proponents for internal networks claim that they are more secure. They might be right, but I would go back to the fact that most security breaches come from within. What is critical is protecting a company's internal systems from improper access through the Internet, and that risk is there in B2B and B2C.

Both B2B and B2C have to be concerned about authenticity, security and auditability. And the companies that provide these services and products have to be constantly aware that IT infrastructures are constantly evolving as organizations grow and technology advances. No one company can provide it all, which is why a growing trend in the industry is one of alliances and partnerships. If an electronic document is to be considered an original, it must be proven to be created at the time the person authored it. This means that the authentication of the digital content cannot be repudiated.

Think of security for B2B and B2C as jigsaw puzzles. The puzzles are the same size. The pieces within the B2B are bigger than the pieces in the B2C, which means there are more pieces in the B2C puzzle. Companies that provide security services and products focus on their piece of the puzzle and see how it fits in with the rest. B2B and B2C have to decide which pieces to have and which to omit. It doesn't really matter whether the piece is small or large, because in the world of security, any opening is an invitation to security breach. And, as much as I hate to admit it, even when all the pieces are firmly in place and it looks as though there are no openings, remember that it's a jigsaw puzzle. Pieces can be removed for a moment and then returned, and on the surface everything will look the same.

Where we are today though is that we have the tools that will securely verify and authenticate the movement of that jigsaw piece - both the who and the when - so that it's much easier to identify unauthorized actions. While complete 100 percent security is not yet a reality, it is our goal and we are making great strides to discourage more and more breaches of security. This will only help the growth of both B2B and B2C.

John Bernardi is president of Datum - Trusted Time Division ( He can be reached at [email protected].

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.