As trade portals continue to eclipse static websites as a digital touchpoint for B2B customers, few enterprises remain unswayed by their ability to fortify brands, reduce costs, and increase sales.
However, in the haste to offer clients and partners direct access to internal value-adding applications, it’s easy to forget that portals can become vulnerabilities in the soft underbelly of an organization.
In case you haven’t reviewed your portal cybersecurity, or you are planning to launch a trade portal or a business-to-business ecommerce outlet, the following overview of portal security dos and don’ts will help you avoid mistakes. By heeding them, you can keep your enterprise, partners, and customers safe from data breaches and malicious digital intrusion.
First then, the don’ts.
4 Don’ts of B2B Portal Security
1. Don’t Use a B2C Solution
If your enterprise is engaged in both B2C and B2B commerce, it can be very tempting to try and adapt your consumer-oriented solution to create a portal for business customers. Such repurposing is often inadvisable due to the sheer number of changes required to the original modules.
As the engineers at Iflexion will tell you, making a B2C platform work for B2B is entirely possible, but it’s not something that they would necessarily encourage. Extensive redevelopment can jeopardize the inherent safety of the solution, aside from being a costly way to build a B2B portal, making the designed-for-purpose software a far more secure option.
2. Don’t Store Credit Card Numbers on Your System
It’s becoming more and more common for business customers to use credit cards for B2B payments. More service providers and vendors are accepting them, too, as an alternative to insisting that customers set up business accounts.
If you accept customers’ credit cards, don’t overlook the risks involved with storing card information in your internal system. You can protect your portal as thoroughly as you like, but there’s never a 100% guarantee that it won’t be hacked. If a nefarious intruder should get in, having your customers’ card data locked away in a third-party’s vault solution will protect you, and them, from card theft and cloning.
3. Don’t Engage Without a Security Agreement
Perhaps the most profound risks to the security of your portal lie with the partners and customers that will use it. After all, their levels of diligence are outside of your direct control. That said, you can, and should, exercise some control by insisting upon a security agreement before allowing access to your portal.
This agreement can be written into your B2B engagement contracts. Ideally, it should stipulate one or more of the following recourses to safeguard your company and those that will interact with it through your ecommerce solution or other B2B portals:
- Indemnification in the case of legal action relating to a security breach
- A liquidated damages clause
- An exit clause to the contract that can be activated if your partner breaches security protocols or standards agreed upon
4. Don’t Be Tardy with Updates
Portal security is not a one-time implementation project, and the more complex your solution, the more frequently security gaps will appear. Unfortunately, while the need for a fast response to patch and update availability might seem obvious, it’s all-too-often overlooked.
For example, according to the 2019 vulnerability statistics report by Edgescan, the average time passing before businesses patch web application security vulnerabilities is 77.5 days. For network vulnerabilities this takes even longer: 81.7 days on average.
Any delay in patching and updating your security software is an invitation—and not all cybercriminals are opportunists. Some may be actively staked out, lying in wait for update-tardiness to leave them an opening.
Don’t gift them with the vulnerability to exploit. Initiate security updates as soon as they are available. The surest way to do this is to have automated update tools, or a maintenance contract with a security provider.
4 Dos of B2B Portal Security
The third of the B2B security don’ts outlined above places some responsibility on your partners. Indeed, this should be one of the critical tenets when opening your systems to external entities. Therefore, some of the following “dos” relate primarily to the expectations you ought to set as a condition of access.
1. Do Insist Upon Seeing Your Partner’s Security Policy, or Sharing One
Before you grant access to your portal, you can get an idea of whether it’s the right move by insisting on a review of the partner’s cybersecurity policy. It’s reasonable to expect such a policy to include:
- Details of technical security measures
- Identification of responsibilities and accountabilities
- Assessment and audit protocols
A more collaborative approach would be to develop a shared security policy, which might be a unifying step to strengthen your most strategic business partnerships.
2. Do Execute Compliance Audits
As long as you are prepared to shoulder the expenses or have very benevolent partners, compliance audits should feature as a regular security measure. Any partner with integrity will be unafraid to let you inspect their security arrangements periodically, and will probably see it as being of mutual benefit. If you have the resources, you could conduct partner audits in-house, or otherwise hire an IT security company to do them for you.
3. Do Develop a Response Plan
Many enterprises overlook the importance of a security response plan, typically under a false sense of confidence that perimeter security is sound. In the majority of cases, response plans can seem like overkill, but not when you are letting external businesses communicate with your systems.
Each partner that accesses your portal(s) adds the potential for unwanted incursions, so it makes good sense to be prepared for a successful attack or an accidental data leak. It’s also prudent to insist that your partners have response plans too.
4. Do Separate Your ERP and Online Portal with a Security Instance
If you integrate your ERP or CRM with your online portal or ecommerce store, your API could be a potential weak point, leaving you open to malicious attacks. By interposing a security instance between the two applications, you effectively eliminate the direct link and can control which messages can pass through the portal into your business systems.
Only Let the Right Ones In
There’s no doubt about the value that B2B portals can offer your enterprise. However, a portal with security issues might prove a costly liability—one that could hurt your partners and customers as well as your own business.
Equally, your partners’ security shortfalls could be the source of much pain for your company if you don’t protect your portal effectively. Therefore, the onus is on you to use any practical method available to ensure the integrity of digital communications and transactions.
Wherever possible, this requires a persuasive and collaborative slant to security discussions with partners. In some cases, insistence and enforcement, too, may be necessary.