Advertisment

The H-Word in E-Security

author-image
DQI Bureau
New Update

Remember the tale of Ramayana? Remember Vibhishana? This

brother of the king of Lanka, Ravana, provided the vital clue that ultimately

led to the death of the trilok vijayta. Not that Rama would not have managed to

kill Ravana without Vibhishana’s help, but his job became easier once he knew

where exactly to strike.

Advertisment

Compare this with today’s increasingly wired, fiercely

competitive business environment. Despite security measures, companies are not

only losing critical information but their systems are being paralyzed for hours

and their Web sites–the face of the company in e-economy–are being defaced.

While most of the organizations tend to blame hackers on the outside, today’s

e-economy requires that an organization be equally wary of the internal human

factor as well.

Says Y V Verma, vice-president, HR and MS, LG Electronics,

"Companies usually commit the mistake of laying more stress on security

from external attacks. Studies, however, have proved for years now, that

organizations are more vulnerable to breaches by deliberate or negligent acts of

employees or other trusted business partners and associates."

According to enterprise security experts, attack from outside

does not pose the only threat to an organization’s information systems. Even

if the company does not have an active link between its Internet server and the

back-end system, its systems are still vulnerable. Surveys have revealed that

over 80% of the threat to organization’s systems come from its own employees–

current, former and those on contract. "So, while you may have minimal

threat from terrorists, competitors and organized crime, the fact is you still

have considerable exposure within your own people," he adds.

Advertisment

The anonymity threat

Akhilesh Tuteja, manager, information risk management

services at KPMG feels that the sudden spurt of white collar crimes or security

breaches is because of one unique feature of this networked world–anonymity.

Not that employee of the yesteryears was more honest and reliable. They are

equally reliable today. However the working environment of the old economy did

not provide him with tools to peep in where he should not or the ability to

spread mischief. "While no employee would dare to even glance what the boss

carries in the brief case, given an opportunity one does like to," quips

Tuteja. "The networked environment provides employees with the opportunity

to do just that without actually having to fear about being reprimanded. The

Internet has created a shield of anonymity today and this gives the errant

employee a pseudo sense of security, making them bold enough to break

norms," he adds.

Agrees Verma, "More and more workers, even in

manufacturing units, are operating through personal workstation networked

through the LAN and WAN. Even those on the move are increasingly being provided

with facilities that could connect them directly to the organization’s

network. Hence the attack can come from anywhere. The intruder can be sitting

just next to you in the same cabin, and still one may not be aware of

them."

Advertisment

Verma divides an organization’s valuable human resource

into four types–happy and working; happy but leaving; disgruntled but working;

disgruntled and leaving. While those in the happy category would be least

dangerous, from the point of deliberate mischief, the disgruntled but working

kinds would be the most dangerous. Hanif Sohrab, product manager-network

security at HCL Comnet, on the other hand maps the threat on different matrix.

According to him, all enterprise security threats can be classified in two

categories, internal and external. And these threats may be either unstructured

or structured. While unstructured threats are generally caused by those purely

seeking kicks from their success or the plain peeping and ignorant employees,

the structured threat as the name suggest is an attempt to deliberately harm

organizations interest. And unlike the novice hackers in the unstructured

category, intruders from the structured stable are usually more technology savvy

or may also be experts in the art of digital espionage and infocrime.

HRD: Prime driver

Both HR and network security experts agree that even the best

safety systems can be compromised, inviting lurking intruders. Naturally, the HR

department needs to play an active role of driving the implementation of the

security policy. According to Verma, "While it is essential that

organization’s security policy is able to address the needs of the business,

it should also follow the age-old KISS (keep it simple, stupid) principle in

order to be understood and supported by the management. A top down approach is

the best in the case as employees tend to forget any policy that does not

directly affect them. This approach would enable the organization make its

people realize the importance of information security and follow the drill

seriously."

Advertisment

A good security policy also needs to accommodate all

activities, including the organization’s non-business peculiarities and

culture. It should be implemented in a phased manner such that the manpower is

able to absorb it without actually feeling uneasy about it. "In fact, it

should be administered in small doses, like that of vaccination, but then you

also need to understand your human resource better. Security policy should not

make them feel as if their privacy is being compromised as this may spread

unrest and make the process counter productive," suggests Verma. The human

resource factor should never be ignored while developing a security policy–in

fact, it should be the first issue as they are the ones who would implement it

and may also cause breaches.

Another issue that businesses need to confront is the

changing nature of working arrangements and the workers themselves. One good

thing about the old economy was that people managing and using data processing

facilities were very few and were often around for years. Hence any information

or network security breach would have had very few suspects. This itself was a

big deterrent to network security breaches.

Points out Verma, "High employee turnaround ratio,

particularly amongst the IT professionals also increases the danger manifold.

How do you maintain trust when the most-tenured employee has been on board for a

year? What this means is that the HR department should also look into these

issues while recruiting people, particularly in case of IT and security

employees. The issue should also be looked into while drafting the security

policy." What’s more, many companies today outsource several of their key

functions, including network management and maintenance. This also means that

there may be several temporary workers or those from the service providers

working in the organizations and having access to vital information. Care should

be taken while handling such people, who may or may not be involved in the

breach.

Advertisment

"These gaps can, however, be plugged by providing proper

training and creating awareness amongst the users," says Verma. According

to the KPMG information security survey, however, 77% of the Indian

organizations surveyed do not have a formal program for security education and

training for employees. This also results in low security awareness amongst

users and makes the organization prone to attacks. Experts believe that

enterprises, irrespective of their size, share the same problem. "Security

is not a profit center and hence whenever there is a reason to cut cost, and

that is what modern management techniques suggest, security gets the biggest

blow," he adds.

The HR department can also utilize its rich database, which

contains information about every employee to find a trust-worthy person who

could be handed over the ultimate responsibility of network and system security.

According to network security experts, it is important that there is only a

single security administrator. First, because if a crisis should occur, one

person should have the authority to act immediately without having to call a

committee together or wait for approval from someone else. Second, the person

should be ultimately responsible for clearing employees for various levels of

security. "If too many people have the right to make security clearance

decisions, the security of the entire system is definitely going to be

jeopardized," says Sohrab.

Finally, the plan should rely on the expertise and experience

of your employees for success. An organization may have hardware and software in

place to help monitor security, but it is ultimately the employees who use the

system that know where its weaknesses are. A typical HR initiative could be to

consider pay incentives for employees who help identify and fix weaknesses in

the system and for those who help catch break-in attempts. Suggests Verma,

"If you turn your employees into the system’s police force, with real

rewards for doing their jobs well, you will help transform them



from the biggest threat to your institution’s security to its greatest
protective force, turning the institution’s greatest security liability into

its greatest security asset."

SHUBHENDU PARTH



in New Delhi

Advertisment