Information risk and security in business relationships

As the full title for February's security awareness module became unweildy, we adopted the working title "Securing business relationships". The ambiguity in that shortened version led me to ask myself:


"What are we actually concerned about: securing relationships, securing business, or securing information?"


Answering that rhetorical question turned out to be an interesting diversion from the slog of writing the materials. For what it's worth, I've done my best to recall the train of thought sparked by my little poser  ...


1) Ours is an information security awareness service so naturally information security is our primary interest - our key concern.

2) Information security, in turn, comprises a suite of controls to mitigate unacceptable risks to information, hence we find ourselves increasingly referring to 'information risk and security' in the same breath.* 

3) While the nature of the information content varies according to the type of relationship and the associated business activities, information is undeniably an important part of every relationship [I elaborate on that point below]. In straightforward commercial relations (buying a simple commodity product online for instance), the vendor typically provides the buyer with, or makes available, a lot of information e.g.:
  • General information about the vendor’s organization – a combination of hard facts, advertisements, impressions, opinions and perceptions and expectations that comprise the brand;
  • Basic product information: functions and features, technical specifications, prerequisites, prices, promotions, marketing collateral (glossies), samples etc.;
  • Contact details;
  • More specific/detailed pre-sales product information including availability, delivery methods etc.;
  • Negotiating the deal e.g. break points for volume discounts, special checkout offers, extended guarantees, supplementary services and related products;
  • Details of the sales order processing and delivery process;
  • Sales contract with various terms and conditions of sale and details of both parties;
  • Sales invoice and/or receipt;
  • An offer, promise or guarantee of quality, suitability etc. whether express or merely implied;
  • Receipt, dispatch note, delivery note;
  • The actual product – goods or services (which may themselves be information);
  • Installation/configuration information, user manual, quick-start leaflet;
  • Information on the product packaging or otherwise accompanying it;
  • Support, maintenance or servicing information, recalls, updates and patches;
  • Information on the vendor’s other products including betas and advance notice of new products;
  • Loyalty card, discount codes etc.
.... while the buyer typically furnishes information such as:
  • Background information about the buyer and their organization – a combination of hard facts, impressions, opinions and perceptions again;
  • Contact details;
  • Their requirements: proposed use, functions and features, prices, quantities, demands and wishes, constraints, concerns etc.;
  • Pre-sales inquiries e.g. seeking further information about prerequisites, features or options, and clarifying their expectations;
  • Negotiating the deal, possibly including details of competitive offers;
  • Details of the procurement and payment or settlement process;
  • A signed contract or agreement, or an acknowledgement click at least;
  • A purchase order and payment notice with details of the payment made, or payment card number or payment service information for identification, authentication and authorization purposes, plus delivery and invoice addresses;
  • Post-sales support requests, queries, complaints, improvement suggestions, feedback comments, and perhaps additional requirements.
As I said, that’s a lot of information, way more than just a few bits-n-bytes! Remember we’re talking here about a straightforward sale and purchase, and we've only considered information flowing directly between the parties, ignoring pertinent information flowing to and from third parties such as the tax man, affiliates, agents and other middle-men, 'product review' sites, and the vipers' nest that is online customer feedback and reputation through social media.

As if that's not enough already, the volume, complexity and importance of the information inevitably go up in more complex business transactions and interactions – strategy consulting, for instance, or financial/tax/legal advice, plus other types of business relationships such as interactions with owners and authorities, and IT outsourcing or service provision such as cloud computing – and changes gradually during the course of long-term relationships, partnerships and joint ventures that mature over the years.

4) Much of that information is both valuable and vulnerable to some extent. In classical information security terms, three aspects are key:
  • Confidentiality can be important for anything sensitive, proprietary or private - like for instance the personal information, card numbers, and commercial details concerning the specific order (negotiated terms, quantities, discounts, delivery dates etc.). The simple fact that a transaction is taking place, along with details about the parties to the transaction and the specific products, may be deemed sensitive information in some circumstances (e.g. when buying weapons): this is an example of the sensitivity and value of metadata;

  • Integrity concerns the accuracy, validity, completeness and credibility of the information, for example simple errors and omissions on the invoice could invalidate the contract or materially affect the value to either party. Distinctly misleading impressions are often generated quite deliberately through unethical marketing, and unsupported claims often surface 'accidentally' in the course of sales pitches and negotiations. Fraudulent purchases are always a concern, especially for online cardholder-not-present sales. In short, the very nature of commerce implies a reliance on trust between the parties: 'If I give you this money, you will deliver what I want - right?'.

  • Availability of information can almost as much of an issue as availability of the products and the buyers' cash! It can be a mission to obtain solid, reliable, accurate information from some vendors, even something as simple as a price, while others seem to want to distract us with irrelevancies. The buyer, meanwhile, isn't legally committed to the deal until they pass the true point of sale, generally by authenticating themselves to authorize the payment or executing the sales contract: until that crucial piece of information arrives, the vendor cannot count on the deal. 
5) In addition to those vulnerabilities, there are threats (such as unscrupulous vendors and buyers, plus various third parties - competitors, fraudsters, social engineers, hackers, VXers, the NSA and other - wanting to get in on the act or sabotage things, as well as genuine mistakes, technology failures and so forth) and impacts (such as abandoned, unprofitable or unworkable deals, shoddy or otherwise inappropriate products, privacy breaches and identity fraud) ... together constituting risks. Few relationships would survive serious or repeated information security or privacy incidents, at least not without substantial concerns and issues going forward. Securing information is therefore a vital part of securing and maintaining effective relationships.

6) Relationships are a vital and integral part of business. I'm running out of steam and don't feel the urge to expand on that point so I'll leave it as an exercise for you, dear blog reader. By all means go ahead and tell me about business activities that don't directly or indirectly involve relationships by commenting below - although admittedly we might need to acknowledge that some business relationships are internal, within the corporation, as opposed to external.

Summing up, the honest if trite answer to "What are we really talking about: securing relationships, securing business, or securing information?" is simply "Yes!"


* As opposed to 'information security risk', a phrase which pops up repeatedly in the ISO27k standards - another distinctly ambiguous and undefined term.