Though you may be an e-commerce company, your security perspectives may be quite different depending on whether you focus on business-to-consumer (B2C) or business-to-business (B2B) transactions. Traditionally, B2C issues center on the protection of customer information and needs, while B2B issues revolve around network security and corporate privacy. Yet many e-commerce firms today are realizing that these two different security needs can be met with one strategy.
Consumer perspective with a privacy focus
B2C customers expect that their financial data will remain safe from theft and fraud, and that linking to a Web site will not infect their PCs with viruses or hostile code. They also have privacy concerns - they don't want their personal information, shopping habits, and preferences released to outside parties, they don't want promotional materials from other firms or individuals (unless they opt in), and they don't want cookies or other privacy-compromising code unknowingly planted on their machine.
While corporate alliances such as the Responsible Electronic Communication Alliance bring some common approaches to consumer protection, most notably regarding privacy, B2C security remains a company-by-company decision making process. B2C organizations to date have predominantly focused on protecting customer data stored internally, mostly because of the high corporate liability. The next stepping stone for B2C operations is to expand into B2B e-commerce, and this requires that they expand their security protection to address the data and privacy protection needs of suppliers, partners, and distributors, as well as customers.
Business-to-business network and database integration
Different concerns predominate in the B2B world, where companies link with partners, distributors, and suppliers over the Internet. The challenging array of unique network architectures, operating system platforms, database products, and record structures make integration a real headache.
B2B e-commerce security is held together by partner agreements and bolstered with supply chain software. Consortiums like The Center for Internet Security are working toward universal, auditable security standards, but these are only in the planning stages now.
Since B2B is all business, all parties have a mutual motivation for active, integrated protection. B2B participants expect their electronic transactions to be protected from interception, falsification, manipulation, or damage. They also want assurance against unauthorized access to their files and databases, seamless network protection during e-commerce activity, and audit trails they can review and certify. A nightmare scenario for a major multinational, for example, would be discovering that their e-suppliers' ineffective security enabled perpetrators to access and download production schedules, pricing models, and other secret information.
Integrating security policies
Given the fairly similar security needs of both the B2C and B2B business models, e-commerce firms today are moving toward a more integrated security model so they can save money and also make more money. They can increase revenue by selling to both businesses and consumers, and they can save money by consolidating various functions, including payments, order generation, order processing, and inventory control.
If you're moving in this direction, be sure to:
- Support identification, authentication, and authorization procedures for all parties associated with an application, transaction, or communication.
- Use protection protocols for transaction, e-mail, and code traffic to prevent interference, modification, corruption, destruction or disclosure.
- Implement data or processing variance identification and protection (e.g., if prices or production schedules exceed or fall below allowable limits, then halt the order and notify for review).
- Identify the individuals who initiate any business or consumer transaction.
- Plan for business continuity in the face of attack or technology failure.
- Protect stored information for the corporation, customers, partners, distributors, and suppliers against such threats as unauthorized access, modification, theft, and destruction.
We're still pioneering e-commerce; welcome to the next stage.
Dr. Goslar is principal analyst and founder of E-PHD, LLC - a security industry research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce and can be reached at Comments@E-PHD.COM.