Encryption
Experts and practitioners say companies should require their partnersto use encryption for any sensitive information--customer data,marketing strategy, labor relations and unreleasedfinancials--transmitted over the Internet. The Federal Reserve isconstantly dealing with financial information, so Wade requiresanything transmitted between the Fed and its financial and bankingpartners to be properly secured.

At J.P. Morgan Treasury Services in New York City, Joe Calaceto, whoheads up security as vice president and technical director, requiresvarying levels of encryption of customer information such as accountnumbers and beneficiary names and addresses.

Gaffney says Staples requires its B2B partners to encrypt all Internettransmissions, but he doesn't require encryption for transmissionssent over private networks. "That would be overkill, since one of thereasons we're paying a premium for a private connection is for itssecurity," he says.

Response Plans
DeMaio says the response plan is where to expect resistance frompartners. Most companies focus on perimeter defense because it's sexy,but once they think nobody can get in, detailed response plans seemlike overkill. That is a mistake, and you shouldn't let your partnersget away with it, says DeMaio. "Too many organizations will simplyfade and say, 'OK, you don't have to do it."

DeMaio adds that partners should provide a detailed description oftheir attack response plan--and it should be designed around specificsystems, not generic boilerplate from books and manuals.