SECURITY: The Danger Is Real

The myth that India is not yet computerized enough to worry about IT security
is fast disappearing. It has not just become pertinent to have a clear security
policy in place, but is also time to take stock of the wreckage that has already
occurred. A recently conducted PwC-CII IT security survey revealed that of the
60% organizations that reported problems due to breach of security, 21% have
recorded actual loss in revenue. It is interesting to note that about 58% of the
organizations have still not been able to quantify the loss. "Till recently
the industry believed that actual problems are much less than the perception.
But they need to understand that this is not something that would not hit them.
Damages in terms of cash loss, information loss and others have already
happened," says Neel Ratan, head, operations and risk management,
PricewaterhouseCoopers.

While the new economy has created a better workflow through improved means of
communication and technology, the IT revolution has come with its own dangers.
With increasing automation of business processes and networking of systems,
security breaches are now becoming common among Indian companies. Although
awareness about the issue has set in, stringent measures have not yet been
taken. Only 5% of the survey respondents reported a revenue loss of over Rs 5
million. Ratan explains that this is not because Indian companies are less prone
to losses, but because of the fact that most of them have not been able to
figure out the actual amount of damage or the reasons behind those damages.

Security breaches

Among the security breaches that usually affect organizations, proliferation
of viruses and the resultant service outages or loss of revenues are some of the
major concerns across the world. The present measures taken up by corporates are
not adequate to prevent virus attacks or detect security breaches. Ratan points
out that most companies install a firewall and believe that they have secured
their systems, but they don’t realize that the system has to be configured
properly to achieve optimum results. "Lack of understanding of technology
is a big drawback. The fact is that most people have only been able to exploit
only 10% of their firewall systems," he says.

Apart from viruses, among the other major reasons for security breaches could
be manipulation of software, data or programs, unauthorized entry, theft of data
and fraudulent or illegal use of material. Although most Indian companies are
realizing the need to install proper detection systems, as of now they still
depend on information from employees, or, collect data after the material damage
is already done. "The bulk of security breaches are identified by the
problems they cause. The use of preventive techniques such as firewalls or
intruder detection systems in India is still only one-third as compared to
organizations globally," says Ratan.

Another danger to security that has come to notice is related to employees
moving to competitive organizations. People in key positions usually have access
to all critical data that can be misused by a competitor. According to Ratan,
this is a problem which is usually difficult to identify, but can be prevented
through stringent in-house security policies. "The technology, to make sure
that critical plans of the company are not leaked, is available," he says.

Identifying the culprit

Whether globally or in India, most companies see identifying culprits a major
problem. The fact that over 48% of the surveyed organizations that faced a
security breach could not identify the culprit reflects the lack of adequate
security detection measures. 23% of the companies believed that it was carried
out by a hacker or terrorist, 26% believed authorized/unauthorized users of the
system to be the prime suspect and only 8% found former employees to be the
culprits.

One of the major reasons that have led to security issues is the pace of
changing technology. In a hurry to deploy the latest techniques, security
concerns seem to have taken a backseat. Says Ratan, "In an eagerness to
keep up with the dot-com boom, most companies have hurriedly created huge
infrastructures without ensuring their security. They usually feel they can
tackle it later, but this attitude can be very dangerous." The survey
indicates that 50% of the companies selling via Web sites reported a revenue
loss as compared to only 25% of other companies reporting the loss.

Complexity of technology <22%> and lack of trained manpower to effectively
implement and monitor security for systems <20%> are among the other barriers to
implementing security. Although high costs of security-related hardware and
software have constrained IT managers in allocating adequate budgets for
effective security set-ups, it has been observed that lack of understanding of
technology is a greater constraint. Sometimes an attempt to get hurried and
cost-effective benefits from IT also results in hampering security.

Realizing the importance of security, some organizations have started making
efforts in the direction, but most of them are restricted to the "quick
wins" or basic security solutions. Those security implementation measures
that rank higher on the technology curve, like intruder detection tools,
penetration testing, encryption technologies and formal security architectures
have been used by very few organizations. However, one good thing is that most
of the organizations are focussing on increasing end-user awareness <61%>,
implementing access controls <59%> and increasing security reviews or
assessments <45%>.

Lack of security policies

Although the awareness regarding the criticality of IT security seems to be
increasing, a large number of organizations still need to have clearly defined
security policies. "It is obvious that organizations with well-documented
security objectives and policies have been more successful in implementing them
as compared to those with informal policies," says Ratan. While 74% of the
respondents in the survey stated that information security was a high priority
for their businesses, the sentiment was not reflected in the quality of their
security policies. Less than one-fifth of the total companies had a complete
description of the security measures while 57% of the companies had an informal
policy or no policy at all.

In a bid to win in a highly competitive environment, companies are spending
heavily on innovation and technology, but the budgets allocated for ensuring information security have been astonishingly low.
Ideally, an organization that does business over the Net needs to allocate at
least 15% of its spending on security. But the survey indicated that a high
number of corporates <54%> reported a spending of less than Rs 0.5 million,
while another 32% spent only Rs 0.5—1 million.

Another trend observed in Indian companies was their inability to
differentiate the security of knowledge as a separate function. It was either
clubbed with the functions of a CEO or CIO. This is reflective of a low security
priority as compared to the developed markets where most of the organizations
have dedicated chief information security officers (CISOs), who design and
implement information security measures. In India, the CISO is not even a
prevalent post. In most cases <38%>, the security policies are determined by
CEOs, closely followed by CIOs <37% cases>.

"The growing need for more comprehensive security measures will drive
more corporates to establish formal CISO positions. The activities of a CEO or
CIO have to be differentiated from the functions of a security officer,"
says Ratan.

As businesses move towards collaboration and as the Internet is increasingly
used for important functions like supply chain and content management, the need
to exercise caution is even greater. With e-commerce becoming a reality, more
and more monetary transactions will be conducted over the Web, which can lead to
more financial losses if the right security mechanisms are not in place. The
onus ultimately lies on individual organizations to wake up to the reality and
face the challenges.

SHWETA VERMA

in New Delhi