The security of its corporate content can make or break Topps. While its actual product—limited edition baseball, football, and hockey cards—is physical, most of its buyers never take possession of its products. You see, for Topps collectors, it's not about owning the cards; it's about buying and selling them on eBay. "It's all about speculating on the performance of the player," says director of Internet technology Bill Blair. "Once you take delivery of a card, there's not much of a market for reselling it."
Topps might print as few as 100 copies of a card; buyers have the opportunity to buy only a certain number of cards during a one-week period. Only around ten percent of buyers take possession of the cards; most allow Topps to warehouse their portfolios. While Topps sells the cards for $4 to $12.50, the price of a card can zoom sky high if the player it represents has a great season. Trades at $500 are not uncommon. As they buy and sell cards, Topps keeps track of the transfers using proprietary software.
Here's where things could get dicey. "We're exposed, in that all the assets are held digitally," Blair says. "If someone were to get into our database, they could transfer cards to their portfolio or take delivery of them."
Topps employs a security consultant that watches network traffic. They see attempted hacks all the time, Blair says, "but we have all the standard protections." For Topps, the standard network security strategies are just the beginning. Topps uses a content delivery system that serves static Web content directly from storage, while combining network acceleration with integral security. Removing the Web server from the transaction chain makes the server invulnerable to security attacks via those transactions. At the same time, Blair says, the hardware handles encryption for credit card information, making the process faster and also more secure. Too often there's a trade-off between security and Web site function, but the acceleration/security combo gives Topps the best of both worlds. "Sometimes people are reluctant to encrypt parts of their site because it slows things down," Blair says. But with this strategy, "We can encrypt the entire buying process."
The security of customer information and customer-facing applications has gotten plenty of attention, thanks in part to some spectacular gaffes. But only a few leading-edge enterprises have implemented content security practices within the organization. And that's a problem. "Someone may mount a DOS attack against your customer-facing Web site," says Adhaero's U.S. director of technology and vice president of business development, James Sinclair, "but at the end of the day they're not walking away with trade secrets." The exposure to significant dollar losses comes from theft of internal information, Sinclair says, "because that's where all the real content is."
While companies spend millions of dollars on security for the servers and mainframes that house their raw data, he says, they tend to ignore the truly valuable data, that which has been qualified, quantified, analyzed, and placed into a recognizable form such as a spreadsheet.
In fact, according to Sinclair, there's an epidemic of Napster-like file swapping going on within the enterprise. With the advent of productivity suites such as Microsoft Office, Sinclair says, "employees' data shifted from the central server model to the peer model, in which employees have full control of documents they write, edit, and distribute."
Research firm Gartner estimates that around 60 percent of all "security incidents" are related to insiders; Sinclair would put that number closer to 80 percent. It's not just theft of content or IP, according to Gartner analyst Ray Wagner. "There's stealing stuff, there's publicizing information, there's destroying documents." With new privacy regulations such as the Health Insurance Portability and Accountability Act, corporations must be able to prove that no unauthorized employee has even peeked at a sensitive document like an employee evaluation or patient health record. Yet, according to Wagner, Gartner has seen little deployment of intra-enterprise content security and digital rights management.