Shareholder Wealth

The electronic commerce marketplace thrives on interconnected relationships. Firms that fail to embrace electronic commerce have been replaced or are treading water to stay afloat. Global competition has changed the economy of all markets. Firms no longer have the option to go back to their old ways of doing business. You cannot put the genie back into the bottle , and Pandora s box has already been opened.

There is a cyclical relationship between customers and investors. As a firm gains customers, the value of the firm increases. As the value of the firm increases , the firm becomes more appealing in profitability to investors. The executives and managers of a firm therefore have a fiduciary responsibility to make decisions that increase the value of a firm.

Security failures cause havoc on this relationship. Unfortunately, many firms only embrace security efforts after the damage has already been done. These problems usually show their face as denial-of-service attacks, viruses, and e-mail problems. This list can go on and on; however, sometimes the attacks go largely unnoticed, at least initially. Unfortunately, unnoticed attacks are sometimes the most damaging in scope as in the following example:

In 2001, 32-year-old Abraham Abdullah duped more than 200 of Forbes 400 Richest People in America by stealing their identities. Mr. Abdullah collected information on individuals by using a publicly accessible computer at a Brooklyn, New York library to hack into databases that contained personal information from some of the world s most prestigious credit companies. He used this information to fraudulently open credit accounts, ultimately stealing more than $80 million dollars. It took authorities more than six months to apprehend Abdullah. At the time of his apprehension, the authorities found more than 800 fraudulent credit cards and 20,000 blank credit cards among his belongings.

An attack of this magnitude can be devastating to a firm. The security failures of firms can have many grave implications. Usually at the top of the list would be an obvious loss of customers. Today s customers are rapidly being apprised of the implications of the lackadaisical security measures. If one of your customers becomes a target of such an attack due to the inadequate security measures taken by your firm, they will likely discontinue the relationship. The value of the firm may decrease and ultimately fail.

It would seem that to prevent such a scenario from happening, executives and managers would simply protect the security posture . Unfortunately, it is not quite that simple; it is not just a matter of having security or not having security. First, it is nearly impossible to eliminate all vulnerabilities. It is an impossible proposition because technology is constantly evolving. Networked systems are designed to communicate with other systems. As long as systems communicate with one another, they will have vulnerabilities because the communication process itself requires that each system have the ability to exchange information with others. In addition, investment in technology security is extremely costly. These costs usually do not render an immediate tangible return on investment; quite the contrary, they usually render an immediate negative on the bottom line, making investment unappealing.

Although the financial cost to protect information technology systems and the information that they contain is a costly proposition, they are necessary. Choosing not to protect may be even more costly in the end because customers will stop doing business with the firm. Understanding that doing nothing is not an option allows the firm to build a strategy to push forward to protect the assets. From the forefront, it is necessary to understand that the investment in security technology will require significant fiscal resources, and the return on investment will be largely intangible. Taking a stepped, 360-degree approach to information assurance will reveal surprising results, however.

In the business-to-business relationship arena, firms are recognizing that technological security is integral to success. Businesses are beginning to focus on protecting their assets, and in doing so, recognize that vulnerabilities exist whenever they conduct transactions with other businesses. The technological innovations that have rapidly found their place in the market, such as electronic data interchange (EDI), enterprise resource planning (ERP) systems, and customer relationship management (CRM) systems, have forced businesses to incorporate their business partners within their security strategies. Businesses must have some form of reassurance that their partners in the market also have security mechanisms in place so that potential threats can be staved off, thus mitigating the vulnerabilities that exist between the technologically interconnected firms.

The interconnected relationship between firms goes largely unnoticed until something goes wrong. Suppliers are typically interconnected through EDI with the manufacturing or service providing firms. This electronic connection has enabled firms to cut overhead costs associated with inventory control, supply specification, shipping, and so forth. The EDI connection usually spans several tiers throughout the supply chain. Within the manufacturing or service providing firm, ERP systems have enabled them to optimize their operations, ensuring that resources are available to conduct operations seamlessly. EDI and ERP systems are also interconnected with the distribution outlets for the goods or services that the firm renders . The actual customer and distribution outlets are sometimes interconnected with one another through CRM technologies. As illustrated , throughout the entire supply chain, from customer to supplier, all can be interconnected through technological innovation. This interconnected relationship presents numerous vulnerabilities. While the vulnerabilities exist, not all will be exploited by threats. Firms must be able to determine which vulnerabilities are critical to their continued operations. Those critical vulnerabilities should be protected first, while other less critical vulnerabilities can be protected later.