SECURITY: The Danger Is Real

The myth that India is not yet computerized enough to worry about IT security

is fast disappearing. It has not just become pertinent to have a clear security

policy in place, but is also time to take stock of the wreckage that has already

occurred. A recently conducted PwC-CII IT security survey revealed that of the

60% organizations that reported problems due to breach of security, 21% have

recorded actual loss in revenue. It is interesting to note that about 58% of the

organizations have still not been able to quantify the loss. "Till recently

the industry believed that actual problems are much less than the perception.

But they need to understand that this is not something that would not hit them.

Damages in terms of cash loss, information loss and others have already

happened," says Neel Ratan, head, operations and risk management,

PricewaterhouseCoopers.

While the new economy has created a better workflow through improved means of

communication and technology, the IT revolution has come with its own dangers.

With increasing automation of business processes and networking of systems,

security breaches are now becoming common among Indian companies. Although

awareness about the issue has set in, stringent measures have not yet been

taken. Only 5% of the survey respondents reported a revenue loss of over Rs 5

million. Ratan explains that this is not because Indian companies are less prone

to losses, but because of the fact that most of them have not been able to

figure out the actual amount of damage or the reasons behind those damages.

Security breaches

Among the security breaches that usually affect organizations, proliferation

of viruses and the resultant service outages or loss of revenues are some of the

major concerns across the world. The present measures taken up by corporates are

not adequate to prevent virus attacks or detect security breaches. Ratan points

out that most companies install a firewall and believe that they have secured

their systems, but they don’t realize that the system has to be configured

properly to achieve optimum results. "Lack of understanding of technology

is a big drawback. The fact is that most people have only been able to exploit

only 10% of their firewall systems," he says.

Apart from viruses, among the other major reasons for security breaches could

be manipulation of software, data or programs, unauthorized entry, theft of data

and fraudulent or illegal use of material. Although most Indian companies are

realizing the need to install proper detection systems, as of now they still

depend on information from employees, or, collect data after the material damage

is already done. "The bulk of security breaches are identified by the

problems they cause. The use of preventive techniques such as firewalls or

intruder detection systems in India is still only one-third as compared to

organizations globally," says Ratan.

Another danger to security that has come to notice is related to employees

moving to competitive organizations. People in key positions usually have access

to all critical data that can be misused by a competitor. According to Ratan,

this is a problem which is usually difficult to identify, but can be prevented

through stringent in-house security policies. "The technology, to make sure

that critical plans of the company are not leaked, is available," he says.

Identifying the culprit

Whether globally or in India, most companies see identifying culprits a major

problem. The fact that over 48% of the surveyed organizations that faced a

security breach could not identify the culprit reflects the lack of adequate

security detection measures. 23% of the companies believed that it was carried

out by a hacker or terrorist, 26% believed authorized/unauthorized users of the

system to be the prime suspect and only 8% found former employees to be the

culprits.

One of the major reasons that have led to security issues is the pace of

changing technology. In a hurry to deploy the latest techniques, security

concerns seem to have taken a backseat. Says Ratan, "In an eagerness to

keep up with the dot-com boom, most companies have hurriedly created huge

infrastructures without ensuring their security. They usually feel they can

tackle it later, but this attitude can be very dangerous." The survey

indicates that 50% of the companies selling via Web sites reported a revenue

loss as compared to only 25% of other companies reporting the loss.

Complexity of technology <22%> and lack of trained manpower to effectively

implement and monitor security for systems <20%> are among the other barriers to

implementing security. Although high costs of security-related hardware and

software have constrained IT managers in allocating adequate budgets for

effective security set-ups, it has been observed that lack of understanding of

technology is a greater constraint. Sometimes an attempt to get hurried and

cost-effective benefits from IT also results in hampering security.

Realizing the importance of security, some organizations have started making

efforts in the direction, but most of them are restricted to the "quick

wins" or basic security solutions. Those security implementation measures

that rank higher on the technology curve, like intruder detection tools,

penetration testing, encryption technologies and formal security architectures

have been used by very few organizations. However, one good thing is that most

of the organizations are focussing on increasing end-user awareness <61%>,

implementing access controls <59%> and increasing security reviews or

assessments <45%>.

Lack of security policies

Although the awareness regarding the criticality of IT security seems to be

increasing, a large number of organizations still need to have clearly defined

security policies. "It is obvious that organizations with well-documented

security objectives and policies have been more successful in implementing them

as compared to those with informal policies," says Ratan. While 74% of the

respondents in the survey stated that information security was a high priority

for their businesses, the sentiment was not reflected in the quality of their

security policies. Less than one-fifth of the total companies had a complete

description of the security measures while 57% of the companies had an informal

policy or no policy at all.

In a bid to win in a highly competitive environment, companies are spending

heavily on innovation and technology, but the budgets allocated for ensuring information security have been astonishingly low.

Ideally, an organization that does business over the Net needs to allocate at

least 15% of its spending on security. But the survey indicated that a high

number of corporates <54%> reported a spending of less than Rs 0.5 million,

while another 32% spent only Rs 0.5—1 million.

Another trend observed in Indian companies was their inability to

differentiate the security of knowledge as a separate function. It was either

clubbed with the functions of a CEO or CIO. This is reflective of a low security

priority as compared to the developed markets where most of the organizations

have dedicated chief information security officers (CISOs), who design and

implement information security measures. In India, the CISO is not even a

prevalent post. In most cases <38%>, the security policies are determined by

CEOs, closely followed by CIOs <37% cases>.

"The growing need for more comprehensive security measures will drive

more corporates to establish formal CISO positions. The activities of a CEO or

CIO have to be differentiated from the functions of a security officer,"

says Ratan.

As businesses move towards collaboration and as the Internet is increasingly

used for important functions like supply chain and content management, the need

to exercise caution is even greater. With e-commerce becoming a reality, more

and more monetary transactions will be conducted over the Web, which can lead to

more financial losses if the right security mechanisms are not in place. The

onus ultimately lies on individual organizations to wake up to the reality and

face the challenges.

SHWETA VERMA



in New Delhi