And the more companies automate processes using the Web, outsource transactions, offer remote access to employees and stray farther afield to create supply chains, the more susceptible they become to hackers. "Many companies have enabled their employees, customers, partners and suppliers to connect to their enterprise networks, making them more vulnerable than ever," says Maria Lewis Kussmaul, founding partner of America's Growth Capital, a Boston-based growth research and investment bank, which has completed 16 transactions in the security sector in the last three and a half years. "Providing critical applications, services and data to this extended enterprise has greatly increased the risk of network infiltration and information theft."

But while Warren is hardly alone in his fears, for a change he is not alone in his efforts to minimize the problem–and the demand has produced a cottage industry dedicated to corporate identity risk management. The Radicati Group, a Palo Alto, Calif.-based technology research firm, estimates that this market reaps about $1.2 billion in worldwide revenues at present, and will top $8.5 billion by 2008. That's a sizable leap, but not a surprising one: The Deloitte study notes that 55% of respondents have a fully deployed identity management solution, and another 30% are piloting or planning to deploy one over the next 18 months. For global trading partners, the technology provides "a means of authenticating companies that are in places that don't have the same controls in place that we do in the U.S., such as credit bureaus, to determine if the company is financially healthy," says Andrea Klein, chief marketing officer of IdenTrust. "Not every country has the same infrastructure we do in terms of protecting or reporting on companies."

The range of authentication technologies includes hardware tokens and smart cards; biometric identifiers, such as fingerprint, iris and voice scans; bank-issued passwords that can be used only once; and multi-factor authentication tools that combine the above with digital certificates and a public key infrastructure (PKI). Digital certificates, considered among the more foolproof methodologies, involve the electronic exchange by two or more parties of mathematical algorithms that authenticate the identities of the other parties. To ensure a secure transaction, the digital certificate utilizes a PKI, which involves the use of two "keys"–a particular company's public key, which is viewable on the Internet, and a private key, which only the user has. The National Institutes for Standards and Technology recently advised the combination of PKI and a digital certificate stored in a hardware token as the strongest means of thwarting identity theft.

Technology alone will not curb the incidence of the crime or encourage further global supply chain integration, however. "There is a real need for interoperable standards in the identity space," says John Pescatore, vice president for Internet security at Gartner Inc. "It is one thing if Wal-Mart, Ford or DuPont tells its supply chain, 'Here is how you integrate with me.' They're big enough to force their vendors to use whatever identity technology they insist upon. But global vendors tend to supply more than one or two companies. While there is definite demand for strong authentication to support supply chain integration, the lack of agreed-upon standards for interoperability are an impediment." He notes that many procurement executives have so many ID tokens to communicate and transact with corporate buyers that it's "a veritable necklace."

Authentication risks are nothing new to corporate treasurers; the difference is their new form. "We've essentially exchanged one set of risks from the paper-based transactional environment for another set of risks in the Internet transactional environment," says Sarah Jones, who until the end of November was treasury director of Europe, Middle East and Africa operations for Hewlett-Packard Co.

Jones is now the CEO of SCF Capital, a London-based supply chain financing company, where she must wrestle with the transactional security of many companies. But for the 22 years before, she worked on ensuring that the supply chain needs of the Palo Alto, Calif.-based technology company were met. "The opportunities in the digital world to reap cost savings through greater processing efficiency are too big to ignore, and far outweigh the risks," says Jones. "In the paper world, if you have a supplier on 45-day payment terms, you think you can go into your ERP system and get 45 days of payment information, but this is not usually the case. The reality is that it can take many days to get that invoice information into your ERP system because of delays in the postal systems or time taken for dispute resolution–and [every day] is a potentially lost opportunity when it comes to the planning and investment of cash. For a treasurer, electronic exchange of financial supply chain data ensures many more days of future cash flow information."

With approximately 1,700 bank accounts around the world, the risk of online document interception for HP is significant. Once sent over the Internet, financial information is vulnerable to theft by hackers and criminal organizations or misappropriation by HP's competitors. Like many organizations seeking efficiencies in financial information processing, HP gradually incorporated automated paperless systems, such as electronic invoicing and electronic funds transfer. HP also outsources several finance functions, such as accounts receivable and accounts payable, to offshore locations.

Like Diebold, HP turned to its banks–in this case, Citigroup–and IdenTrust to digitize its bank account opening, closing and maintenance processes and develop message standards using digital certificates to authenticate signatories. "This way, when a corporation electronically exchanges its banking details with another corporation, the information is sent in a secure way that verifies that the details are, indeed, the real thing," says Jones.

Not all companies are as eager to acquire the benefits of electronic information processing and transactions, given the associated risks. Many smaller companies are in this category. In a recent survey by the Economist Intelligence Unit and IdenTrust of companies with less than $500 million in revenue, one third of the respondents cited "theft of proprietary or competitive information" as the greatest risk impeding Internet-based financial information flows. Despite the concerns, IdenTrust's Klein says some companies proceed anyway to remain competitive. "Most people go in and keep their fingers crossed," she says. "They take the risk and hope for the best."

But smaller companies could be giving up considerable savings in the effort to avoid Internet fraud. "The attributes contained in a digital identity could allow a transaction like an invoice to be more easily financed," SCF's Jones explains. The digital certificate "essentially authenticates and authorizes the invoice and could act as the confirmation that the invoice is undisputed," she says. "Through that process, it is possible to turn an invoice into a marketable instrument that can be financed."

And even better, at lower cost. "A small supplier with a marginal credit rating that sells something to a multinational corporation with a higher credit rating can leverage the larger company's credit rating," explains Lorenzo Martinelli, executive vice president of E2open, a Redwood City, Calif.-based software-as-a-service company. "In a paper-based environment, a supplier ships the goods to the buyer, who waits 60 to 90 days or so to pay. In an electronic environment, a bank could provide the payment to the supplier immediately, based on the promise of the buyer to pay. This way the supplier doesn't have to take the receivable to its own bank to receive credit, since the credit risk is now the buyer's. The key is to synchronize and validate the electronic transactions between the companies."

Consequently, identity authentication can be more than a means to thwart criminals; it can actually produce impressive returns on a company's investment.