????我最喜歡的一期《魔鬼經濟學電臺》播客講的是一家高端有機連鎖餐廳Le Pain Quotidien。說的是一位顧客在它曼哈頓分店里就餐時在沙拉里發現了一只死田鼠。按照《魔鬼經濟學電臺》的慣例，這個令人作嘔的故事引發了一場有趣的經濟學討論：從“錨定”在影響定價行為中所起的作用，到把小企業發展成一家全國或全球性企業所面臨的挑戰。

????就Le Pain Quotidien而言，這起事件對它而言是一堂很好的風險管理教訓。公司從開設在比利時的第一家門店起步，迅速發展成一家在16個國家擁有150家門店的全球性連鎖企業。碰巧的是，對餐廳管理層而言，死蟲子和死老鼠從有機農場來到顧客餐盤是一個不幸、但可接受的風險。

????對我來說，這個故事對21世紀企業而言是很重要的一個教訓。也就是說：供應商和商業合作伙伴（即使是小企業）的行為可能對公司的聲譽和盈利有著超乎尋常的影響力。

????如今，各行業各大公司每天都面臨著客戶遭遇（虛擬版）“沙拉中出現老鼠”的境況。這只“老鼠”可能是客戶數據丟失或被竊、黑客攻擊、DDoS（分布式拒絕服務）攻擊及其他網絡弊病。跟Le Pain Quotidien一樣，風險源頭通常存在于風暴中心的外部。類似的風險存在于企業網絡、數據與商業合作伙伴、供應商和SaaS（軟件即服務）應用提供商的網絡和數據的復雜整合當中。

????舉個例子：今年3月份，美國銀行（Bank of America）證實，第三方安全公司TEKsystems受到黑客攻擊，導致這家銀行的內部郵件遭到泄漏，遭泄內部郵件記錄了它監控包括Anonymous機構在內的黑客團體的情況（在此之前，2011年也發生過相似案例，當時Anonymous攻擊過美國銀行另一家承包商——網絡取證公司HB Gary）。

????然后，今年8月份，位于澳大利亞的一家域名注冊商【公司客戶包括《紐約時報》（the New York Times）和Twitter等公司】，訪問公司網站的用戶被跳轉到黑客團體——敘利亞電子軍團（Syrian Electronic Army）的宣傳網頁。

????這些事件表明，我們生活在一個數據已呈“液態”（沒有更好的詞匯來形容）的商業環境之中。這種“液態”數據會在公司防火墻的范圍之內流動。但它也會以難以預料、或者說難以控制的方式滲透、越過這道邊界。

????通過裝在兜里的移動設備，我們可以訪問企業資源。但是，移動設備也可能被落在出租車后座上。利用VPN（虛擬專用網絡），承包商可從風險較高的家庭網絡來訪問企業關鍵的后臺系統。企業云應用，比如Salesforce.com和Workday，把公司管理的IT資產中的敏感信息抽取到基于云計算的服務器中，我們無法控制。

????假如說10年或15年前網絡是“封閉社區”——訪問網絡受到嚴格控制的話，那么可以認為，如今的網絡就好比郊區購物中心，有許多入口、出口，供形形色色的個人消費者出入。

????如今，企業有許多高級的檢測和監控工具可以選擇。然而，大多數企業完全就不了解正常的網絡行為該是怎樣的，而且也沒有掌握一種簡單的方法來衡量基礎架構合作伙伴、供應商及商業合作伙伴的安全性與完善性。

????One of my favorite episodes of Freakonomics Radio concerns a diner at the Manhattan branch of high-end, organic restaurant chain, Le Pain Quotidien, who finds a deceased field mouse in her salad. As often happens on Freakonomics, this revolting tale begets an interesting discussion of economics: From the function of 'anchoring' in influencing pricing behavior to the challenge of scaling small businesses to a national or global scale.

????In the case of Le Pain Quotidien, the incident was a lesson in risk management for the company, which had grown quickly from its first store in Belgium to a global chain with 150 locations in 16 countries. As it happens, dead bugs and rodents finding their way from the organic farm to a customer's plate was an unfortunate, but acceptable risk for the restaurant's management.

????For me, the story nicely illustrates an important lesson of 21st century business. Namely: The actions of your suppliers and business partners (even small ones) can have an outsized influence on your company's reputation and the bottom line.

????Today, companies operating in many industries face the prospect of customers having a (virtual) "mouse in the salad" moment every day. The mouse comes in the form of customer data loss or theft, hacking, DDoS attacks and other online ills. As with Le Pain Quotidien, the source of the risk often resides outside the organization that is most affected. It can be found in the complex integration of enterprise networks and data with those of business partners, suppliers and SaaS application providers.

????One example: In March of this year, Bank of America (BAC) confirmed that a hack of third-party security firm TEKsystems was the source of a leak of internal e-mails that documented the company's monitoring of hacktivist groups, including Anonymous. (This after a similar 2011 Anonymous attack on another BoA contractor, cyber-forensics firm HB Gary.)

????Then, in August, an Australia-based domain name registrar used by the New York Times and Twitter (TWTR), among others, had visitors to those web properties redirected to propaganda pages for the Syrian Electronic Army, a hacktivist group.

????These incidents suggest that we inhabit a business environment in which data has become 'liquid' – for lack of a better term. It flows within the boundaries marked by your corporate firewall. But it also permeates that boundary in ways that are difficult to predict or control.

????Mobile devices put access to enterprise resources in our pocket and, therefore, into the back seat of a taxicab. Contractors use VPNs to access critical, backend systems from dodgy home networks. Enterprise cloud applications, like Salesforce.com (CRM) and Workday (WDAY), siphon sensitive information from company- managed IT assets to cloud-based servers that we do not control.

????If networks 10 or 15 years ago were "gated communities" in which access was strictly controlled, you can think of today's networks like suburban shopping malls, with many points of entrance and egress for individuals of all stripes.

????Today, enterprises can choose from a long list of sophisticated detection and monitoring tools. Still, most do not have any idea what normal network behavior looks like, nor do they have a way to easily measure the security and integrity of their infrastructure partners, suppliers and business partners.