When Vijay Prasad, a systems analyst with an MNC reached his office, his
colleague told him that the CIO wanted to see him. Assuming it was a routine
meeting, Prasad met up with the CIO, who handed him a bunch of e-mail printouts
containing some confidential company information. Prasad was shocked to see that
all these e-mails had generated from Prasad’s official e-mail ID without his
knowledge. Taking his sound track record into consideration, the company let him
off with a warning. However, an investigation into the security breach was
ordered.
As the world becomes increasingly wired, a new dimension in security is
threatening organizations across the globe - a security threat from within the
company. An issue that is hard to digest, but companies have to grapple with.
A breach of security from within the organization could either be deliberate
or due to negligence or ignorance. Most companies deal very sternly with
instances of deliberate security lapses. Some of the drivers for deliberate
hacking are negative appraisal ratings, settling scores, aiding and abetting
competitors and much more.
Keeping a Check
Given this scenario, companies are devising employee
surveillance mechanisms to protect their digital assets. Observes S Balu,
executive director, Ford Information Services India, "Organizations should
keep a check on employees by effectively communicating the security guidelines
and policies through robust internal control processes. Employees should also be
made aware of the repercussions in the event of a security violation."
Meanwhile, companies like Cognizant Technology Solutions have
put in place a Corporate Security Group (CSG) to address wide-ranging security
issues. Says K.Chandrasekaran, GM, Networking and Systems Support, Cognizant,
" CSG looks into various threats from the organizational standpoint. We
have clearly defined policies on the level and duration of access to information
across levels in the company. We have three defined security levels. For
instance, all employees have access to generic data. Information on estimation,
proposals and other sensitive data can only be accessed by managers and above.
Project level information can be accessed only by the people in the respective
projects and not by others."Â
While companies are devising ways and means to curb security
breach, let us look at the some of the threat factors arising out of
carelessness and ignorance. A major problem most of the companies face is
unattended and logged in PC’s. This often leads to trespassing by unauthorized
users to access the network. Says R S Vasan, AGM Material Planning and ISD,
Sundaram Clayton, "A logged on PC left unattended is a potential threat to
data integrity. These kinds of things happen mainly because of the users lack of
awareness."
The second common threat is the misuse of passwords. In
companies where PC’s are shared between groups, management of passwords
becomes a difficult task. It is most likely that everyone knows the password.
Hence, a password policy that specifies the minimum length and validity
supported by strong authentication techniques will help in curbing security
lapses. Observes Vasan, "We ensure that password security is
maintained by all employees. Employees are constantly educated on this. "
According to Suresh Srinivasan, general manager, enterprise
solutions, Ramco Systems, "A security policy should clearly spell out the
procedures and should enunciate the consequences employees have to face in the
event of a security lapse arising out of negligence. The primary emphasis should
be on the correct use of the company facilities, equipment, highlighting the
norms and underlining their importance."
The Role of HR
While a security policy is critical to any organization, the
extent of threat depends on the kind of people the company
employs. Observes Balu, "The role of HR in IT security starts right
from the search for candidates. Once the candidate is selected, systems and
HR should work in tandem and must allocate privileges like access to the
system resources, network, servers, telecom and other network resources
depending on the job content and requirements."
It is also the responsibility of the HR department to inform
the employees about the critical nature of security. According to Rahul Swarup,
president, enterprise solutions, Satyam Infoway, " It would be better to
run the new recruit through a basic security presentation on the common methods
of break ins. It would help immensely if employees are provided with a quick
reference of the do’s and don’ts on security. The system administration team
should send out periodic messages about new security threats and ensure that
employees have the latest anti-virus signature files on their machines."
HR should also play a key role in managing the privacy issues
involved in security. For instance, issues like monitoring the employees are
done through CCTV"s, reading e-mails, analyzing the users browsing behavior
etc. It is the duty of the HR to inform the employees about the various
monitoring mechanisms the company adopts as a part of its security measures.
Evolving guidelines
Whether it is educating the employees or HR playing a
pro-active role in the management of security issues, companies need to have
well-formulated security guidelines in the first place. Says Balu, "At Ford
India, we follow Ford Motor Company’s
Corporate Systems security guidelines. They are very stringent.
Implementation and adherence is ensured by continuous communication, automating
certain aspects, periodic internal control reviews, audits, and yearly reviews
by corporate audit groups."
HR plays a dominant role in framing the security guidelines,
agrees Swarup. "The HR department together with the systems administration
and the management should explore various security issues and formulate security
guidelines. The guidelines must clearly spell out the differentiated levels of
access based on eligibility criteria, " he says.Â
G Shrikanth in Chennai