祸起萧墙：来自合作伙伴的安全风险

    我最喜欢的一期《魔鬼经济学电台》播客讲的是一家高端有机连锁餐厅Le Pain Quotidien。说的是一位顾客在它曼哈顿分店里就餐时在沙拉里发现了一只死田鼠。按照《魔鬼经济学电台》的惯例，这个令人作呕的故事引发了一场有趣的经济学讨论：从“锚定”在影响定价行为中所起的作用，到把小企业发展成一家全国或全球性企业所面临的挑战。

    就Le Pain Quotidien而言，这起事件对它而言是一堂很好的风险管理教训。公司从开设在比利时的第一家门店起步，迅速发展成一家在16个国家拥有150家门店的全球性连锁企业。碰巧的是，对餐厅管理层而言，死虫子和死老鼠从有机农场来到顾客餐盘是一个不幸、但可接受的风险。

    对我来说，这个故事对21世纪企业而言是很重要的一个教训。也就是说：供应商和商业合作伙伴（即使是小企业）的行为可能对公司的声誉和盈利有着超乎寻常的影响力。

    如今，各行业各大公司每天都面临着客户遭遇（虚拟版）“沙拉中出现老鼠”的境况。这只“老鼠”可能是客户数据丢失或被窃、黑客攻击、DDoS（分布式拒绝服务）攻击及其他网络弊病。跟Le Pain Quotidien一样，风险源头通常存在于风暴中心的外部。类似的风险存在于企业网络、数据与商业合作伙伴、供应商和SaaS（软件即服务）应用提供商的网络和数据的复杂整合当中。

    举个例子：今年3月份，美国银行（Bank of America）证实，第三方安全公司TEKsystems受到黑客攻击，导致这家银行的内部邮件遭到泄漏，遭泄内部邮件记录了它监控包括Anonymous机构在内的黑客团体的情况（在此之前，2011年也发生过相似案例，当时Anonymous攻击过美国银行另一家承包商——网络取证公司HB Gary）。

    然后，今年8月份，位于澳大利亚的一家域名注册商【公司客户包括《纽约时报》（the New York Times）和Twitter等公司】，访问公司网站的用户被跳转到黑客团体——叙利亚电子军团（Syrian Electronic Army）的宣传网页。

    这些事件表明，我们生活在一个数据已呈“液态”（没有更好的词汇来形容）的商业环境之中。这种“液态”数据会在公司防火墙的范围之内流动。但它也会以难以预料、或者说难以控制的方式渗透、越过这道边界。

    通过装在兜里的移动设备，我们可以访问企业资源。但是，移动设备也可能被落在出租车后座上。利用VPN（虚拟专用网络），承包商可从风险较高的家庭网络来访问企业关键的后台系统。企业云应用，比如Salesforce.com和Workday，把公司管理的IT资产中的敏感信息抽取到基于云计算的服务器中，我们无法控制。

    假如说10年或15年前网络是“封闭社区”——访问网络受到严格控制的话，那么可以认为，如今的网络就好比郊区购物中心，有许多入口、出口，供形形色色的个人消费者出入。

    如今，企业有许多高级的检测和监控工具可以选择。然而，大多数企业完全就不了解正常的网络行为该是怎样的，而且也没有掌握一种简单的方法来衡量基础架构合作伙伴、供应商及商业合作伙伴的安全性与完善性。

    One of my favorite episodes of Freakonomics Radio concerns a diner at the Manhattan branch of high-end, organic restaurant chain, Le Pain Quotidien, who finds a deceased field mouse in her salad. As often happens on Freakonomics, this revolting tale begets an interesting discussion of economics: From the function of 'anchoring' in influencing pricing behavior to the challenge of scaling small businesses to a national or global scale.

    In the case of Le Pain Quotidien, the incident was a lesson in risk management for the company, which had grown quickly from its first store in Belgium to a global chain with 150 locations in 16 countries. As it happens, dead bugs and rodents finding their way from the organic farm to a customer's plate was an unfortunate, but acceptable risk for the restaurant's management.

    For me, the story nicely illustrates an important lesson of 21st century business. Namely: The actions of your suppliers and business partners (even small ones) can have an outsized influence on your company's reputation and the bottom line.

    Today, companies operating in many industries face the prospect of customers having a (virtual) "mouse in the salad" moment every day. The mouse comes in the form of customer data loss or theft, hacking, DDoS attacks and other online ills. As with Le Pain Quotidien, the source of the risk often resides outside the organization that is most affected. It can be found in the complex integration of enterprise networks and data with those of business partners, suppliers and SaaS application providers.

    One example: In March of this year, Bank of America (BAC) confirmed that a hack of third-party security firm TEKsystems was the source of a leak of internal e-mails that documented the company's monitoring of hacktivist groups, including Anonymous. (This after a similar 2011 Anonymous attack on another BoA contractor, cyber-forensics firm HB Gary.)

    Then, in August, an Australia-based domain name registrar used by the New York Times and Twitter (TWTR), among others, had visitors to those web properties redirected to propaganda pages for the Syrian Electronic Army, a hacktivist group.

    These incidents suggest that we inhabit a business environment in which data has become 'liquid' – for lack of a better term. It flows within the boundaries marked by your corporate firewall. But it also permeates that boundary in ways that are difficult to predict or control.

    Mobile devices put access to enterprise resources in our pocket and, therefore, into the back seat of a taxicab. Contractors use VPNs to access critical, backend systems from dodgy home networks. Enterprise cloud applications, like Salesforce.com (CRM) and Workday (WDAY), siphon sensitive information from company- managed IT assets to cloud-based servers that we do not control.

    If networks 10 or 15 years ago were "gated communities" in which access was strictly controlled, you can think of today's networks like suburban shopping malls, with many points of entrance and egress for individuals of all stripes.

    Today, enterprises can choose from a long list of sophisticated detection and monitoring tools. Still, most do not have any idea what normal network behavior looks like, nor do they have a way to easily measure the security and integrity of their infrastructure partners, suppliers and business partners.