Remember the tale of Ramayana? Remember Vibhishana? This
brother of the king of Lanka, Ravana, provided the vital clue that ultimately
led to the death of the trilok vijayta. Not that Rama would not have managed to
kill Ravana without Vibhishana’s help, but his job became easier once he knew
where exactly to strike.
Compare this with today’s increasingly wired, fiercely
competitive business environment. Despite security measures, companies are not
only losing critical information but their systems are being paralyzed for hours
and their Web sites–the face of the company in e-economy–are being defaced.
While most of the organizations tend to blame hackers on the outside, today’s
e-economy requires that an organization be equally wary of the internal human
factor as well.
Says Y V Verma, vice-president, HR and MS, LG Electronics,
"Companies usually commit the mistake of laying more stress on security
from external attacks. Studies, however, have proved for years now, that
organizations are more vulnerable to breaches by deliberate or negligent acts of
employees or other trusted business partners and associates."
According to enterprise security experts, attack from outside
does not pose the only threat to an organization’s information systems. Even
if the company does not have an active link between its Internet server and the
back-end system, its systems are still vulnerable. Surveys have revealed that
over 80% of the threat to organization’s systems come from its own employees–
current, former and those on contract. "So, while you may have minimal
threat from terrorists, competitors and organized crime, the fact is you still
have considerable exposure within your own people," he adds.
The anonymity threat
Akhilesh Tuteja, manager, information risk management
services at KPMG feels that the sudden spurt of white collar crimes or security
breaches is because of one unique feature of this networked world–anonymity.
Not that employee of the yesteryears was more honest and reliable. They are
equally reliable today. However the working environment of the old economy did
not provide him with tools to peep in where he should not or the ability to
spread mischief. "While no employee would dare to even glance what the boss
carries in the brief case, given an opportunity one does like to," quips
Tuteja. "The networked environment provides employees with the opportunity
to do just that without actually having to fear about being reprimanded. The
Internet has created a shield of anonymity today and this gives the errant
employee a pseudo sense of security, making them bold enough to break
norms," he adds.
Agrees Verma, "More and more workers, even in
manufacturing units, are operating through personal workstation networked
through the LAN and WAN. Even those on the move are increasingly being provided
with facilities that could connect them directly to the organization’s
network. Hence the attack can come from anywhere. The intruder can be sitting
just next to you in the same cabin, and still one may not be aware of
them."
Verma divides an organization’s valuable human resource
into four types–happy and working; happy but leaving; disgruntled but working;
disgruntled and leaving. While those in the happy category would be least
dangerous, from the point of deliberate mischief, the disgruntled but working
kinds would be the most dangerous. Hanif Sohrab, product manager-network
security at HCL Comnet, on the other hand maps the threat on different matrix.
According to him, all enterprise security threats can be classified in two
categories, internal and external. And these threats may be either unstructured
or structured. While unstructured threats are generally caused by those purely
seeking kicks from their success or the plain peeping and ignorant employees,
the structured threat as the name suggest is an attempt to deliberately harm
organizations interest. And unlike the novice hackers in the unstructured
category, intruders from the structured stable are usually more technology savvy
or may also be experts in the art of digital espionage and infocrime.
HRD: Prime driver
Both HR and network security experts agree that even the best
safety systems can be compromised, inviting lurking intruders. Naturally, the HR
department needs to play an active role of driving the implementation of the
security policy. According to Verma, "While it is essential that
organization’s security policy is able to address the needs of the business,
it should also follow the age-old KISS (keep it simple, stupid) principle in
order to be understood and supported by the management. A top down approach is
the best in the case as employees tend to forget any policy that does not
directly affect them. This approach would enable the organization make its
people realize the importance of information security and follow the drill
seriously."
A good security policy also needs to accommodate all
activities, including the organization’s non-business peculiarities and
culture. It should be implemented in a phased manner such that the manpower is
able to absorb it without actually feeling uneasy about it. "In fact, it
should be administered in small doses, like that of vaccination, but then you
also need to understand your human resource better. Security policy should not
make them feel as if their privacy is being compromised as this may spread
unrest and make the process counter productive," suggests Verma. The human
resource factor should never be ignored while developing a security policy–in
fact, it should be the first issue as they are the ones who would implement it
and may also cause breaches.
Another issue that businesses need to confront is the
changing nature of working arrangements and the workers themselves. One good
thing about the old economy was that people managing and using data processing
facilities were very few and were often around for years. Hence any information
or network security breach would have had very few suspects. This itself was a
big deterrent to network security breaches.
Points out Verma, "High employee turnaround ratio,
particularly amongst the IT professionals also increases the danger manifold.
How do you maintain trust when the most-tenured employee has been on board for a
year? What this means is that the HR department should also look into these
issues while recruiting people, particularly in case of IT and security
employees. The issue should also be looked into while drafting the security
policy." What’s more, many companies today outsource several of their key
functions, including network management and maintenance. This also means that
there may be several temporary workers or those from the service providers
working in the organizations and having access to vital information. Care should
be taken while handling such people, who may or may not be involved in the
breach.
"These gaps can, however, be plugged by providing proper
training and creating awareness amongst the users," says Verma. According
to the KPMG information security survey, however, 77% of the Indian
organizations surveyed do not have a formal program for security education and
training for employees. This also results in low security awareness amongst
users and makes the organization prone to attacks. Experts believe that
enterprises, irrespective of their size, share the same problem. "Security
is not a profit center and hence whenever there is a reason to cut cost, and
that is what modern management techniques suggest, security gets the biggest
blow," he adds.
The HR department can also utilize its rich database, which
contains information about every employee to find a trust-worthy person who
could be handed over the ultimate responsibility of network and system security.
According to network security experts, it is important that there is only a
single security administrator. First, because if a crisis should occur, one
person should have the authority to act immediately without having to call a
committee together or wait for approval from someone else. Second, the person
should be ultimately responsible for clearing employees for various levels of
security. "If too many people have the right to make security clearance
decisions, the security of the entire system is definitely going to be
jeopardized," says Sohrab.
Finally, the plan should rely on the expertise and experience
of your employees for success. An organization may have hardware and software in
place to help monitor security, but it is ultimately the employees who use the
system that know where its weaknesses are. A typical HR initiative could be to
consider pay incentives for employees who help identify and fix weaknesses in
the system and for those who help catch break-in attempts. Suggests Verma,
"If you turn your employees into the system’s police force, with real
rewards for doing their jobs well, you will help transform them
from the biggest threat to your institution’s security to its greatest
protective force, turning the institution’s greatest security liability into
its greatest security asset."
SHUBHENDU PARTH
in New Delhi