Are your own employees a bigger threat than hackers?



NIIT: How can the management sensitize employees in the usage of
information and its value?

Coca-Cola: I think this is not just a valid point, but it is
imperative that senior management gets involved in security. Security really
forms a very large circle or cycle in which you have enterprise systems and you
have company employees actually using information. It also goes to the extent of
training your employees on what is the information that they need to share and
at what level. With this process in place, everyone feels empowered, everyone
understands what is his responsibility and everyone is accountable. When each
employee understands his accountability, the organization has taken care of
security threats to a great extent.

Cisco: Have any of you carried out evaluations to weigh the benefits of
using the Internet? If not, is it lack of awareness of security systems on the
Net that stop you from opting for web-based solutions?

NTPC: We have put up two applications on the web and on both counts,
we evaluated them in the beginning to reflect the savings. We stared off by
putting tender notices on our website and we did some brisk internal
calculating. Earlier, these tenders used to be published in dailies, costing us
crores. Now, we give a small tender referring them to a website on a particular
tender number, and we get about 30 tenders on our site www.ntpc.co.in. We are
also planing a new site called www.ntpctenders.com.
Another thing we are doing is e-procurement. In a large organization like NTPC,
which is scattered all over the country, a typical phenomenon is that the same
vendor quotes different rates for the same item. The management, therefore,
decided that this could be avoided by going in for collective procurement
through the Net. We want to do away with all our paperwork using our WAN and we
are studying what security mechanisms will be required for complete automation.

H-P: Is there a need for preventing people from accessing information and
taking security as a threat mitigation strategy? Or can we allow people to
access information and still be secure?

Alstom: I agree that information should be made available to
everybody, but the right information should be made available to the right
person. How are you going to ensure that the information being provided to a
person is the right one and what if it falls into the wrong hands? It can be
misused. That is the only concern. Otherwise, I don’t think any organization
would like to hide information from its employees.

Coca-Cola: I think defining a security policy is not about hiding
information from people; it is about providing the right kind of information to
the right people at the right time. As a fallout, if some other people don’t
get the information at all, so be it.

Microsoft: The paradigm has now changed because of the Internet. We
need to have closer partnerships with our trading partners, better supplier
integration–have a streamlined process. The best thing that is happening is
the empowerment of the employee in the organization, because this is something
that is internal to your organization and you can start testing your IT
infrastructure and security. The Intranet, for instance, is a great place to
start and provide information internally. You can extend it to your suppliers in
the second phase and see how far you can take it. The third step would be to
take it to customers. Organizations that can drive partnerships closely in this
new economy, can empower their employees and extend it out to the customers too
will be the ones that gain the most out of the new economy.

MUL: We have an auto exchange coming up, where competitors will team
up and share information. There are seven of us already in this group and we are
utilizing our individual strengths for mutual benefit. For instance, Telco is
our competitor in the mid-sized car segment, but we have teamed up to reach out
to our suppliers to strike better deals. Again, while buying steel, we go
together to get better rates. Changes in the new economy are driving
collaborations of these kinds to success.

Does Indian law provide the enterprise redressal when
something goes wrong?

MUL: I am part of the CII team that is working on
advising the government on what changes are required in the law with regard to
e-business. What cyber-laws do, in short, is to legalize documents of the two
companies that are interacting. But again, this is not legal until your
chartered accountants and certifying authorities are in a position to do it.
Till the time we have a certifying authority, cyber-laws do not hold any good
and any business that I do on the Net is at my own risk. Ultimately, we have to
take care of our own security, the laws at best are only a deterrent–they help
reduce the number of breaches but they can’t reduce the quality of security
that we need to have in our organizations.

A DQ report

 

Leave a Reply

Your email address will not be published. Required fields are marked *