Issue dated - 30th September 2002

-

CURRENT ISSUE
INDIA NEWS
NEWS ANALYSIS
SECURITY SPECIAL
EVENTS
EC SERVICES
ARCHIVES/SEARCH
IT APPOINTMENTS
WRITE TO US
SUBSCRIBE/RENEW
CUSTOMER SERVICE
ADVERTISE
ABOUT US
 Network Sites
  IT People
  Network Magazine
  Business Traveller
  Exp. Hotelier & Caterer
  Exp. Travel & Tourism
  Exp. Backwaters
  Exp. Pharma Pulse
  Exp. Healthcare Mgmt.
  Express Textile
 Group Sites
  ExpressIndia
  Indian Express
  Financial Express

 
Front Page > Security Special > Story Print this Page|  Email this page

IT security: It’s now or never

Indian enterprises cannot afford to take information security lightly any longer. With no security policies in place, lack of investigation of incidents and poor training, Indian companies will only suffer with financial and reputational vulnerabilities, warns Sunil R Chandiramani

User companies must realise that financial and reputational vulnerability will increase as connectivity increases. The warning stems from the analysis of responses to a survey conducted in India as part of Global Information Security Survey 2002 conducted by Ernst & Young, in which most respondents indicate alarming gaps in security management around business critical systems and data. India was one of the 17 countries that participated in the survey. Today’s business environment demands that business leaders understand, anticipate and manage information security and availability as a business-wide priority. Organisations perceived to have an irresponsible approach to information security would be increasingly penalised by potential business partners and customers. The respondents felt that lack of employee awareness was the biggest challenge they face in the organisation for effective implementation of IT security. (See box: Challenges for effective implementation of IT)

These respondents constituted a mix of various industries, such as consumer products, financial services, healthcare, industrial products, insurance, public sector, telecommunications, oil and gas, etc.70 percent of Indian CIOs, IT directors and business executives surveyed indicate that they expect to experience greater vulnerability as connectivity increases. A majority of respondents also indicate that critical business systems are increasingly interrupted—76 percent experienced unexpected unavailability. Yet alarmingly, business continuity plans exist at only 47 percent of Indian companies, as compared to 53 percent globally, and over half the respondents have not agreed recovery time scales, which could mean wide expectation gaps in the event of business interruption.

Much of the activity that is taking place is in basics of information security such as firewall management and anti-virus protection. 73 percent of Indian organisations do not investigate security incidents, as compared to 40 percent globally, despite repeated warnings that security breaches often result in the creation of ‘back doors’ for malicious use later.

It is clear that information security is still often regarded as a technical issue to be left to the IT department alone—resulting in technology solutions without supporting business processes. This failure will lead some organisations to prepare inadequately for threats that are increasingly sophisticated and rapidly changing. An organisation’s information security strategy must extend beyond the technical solution to include sound consideration of the nature of the business risks and the culture. It must be informed and objective and must drive tactical and operational decisions in all business areas if it is to be of real value today.

Getting this right can mean the difference between success and failure. Accurate and timely management information is critical to business management and yet there are disturbing indications of significant gaps in management information on information security. For example only 33 percent of the Indian respondents were confident they would detect an attack on their systems, as compared to 40 percent globally, and a number of organisations stated that some key components of security expenditure were either not monitored or were not easily identifiable.

Another grey area of concern to corporate India today is vulnerability to external attack (62 percent) than internal (50 percent). But globally published data continues to confirm that more than three-quarters of attacks originate from within organisations. In an economic climate marked by redundancies and hiring freezes, internal security is likely to become an increasing issue for Indian businesses. When we analysed the responses to the survey and observed the trend in India and abroad, the difference in figures could be because of the fact that these internal vulnerabilities have never been looked at before. Therefore, it is time for organisations to close the gaps in their security frameworks to ensure their own survival and competitive advantage.

Also, getting grip on data privacy and Information Technology (IT) security must be accomplished through a cultural evolution within companies rather than by quick fixes. 68 percent of respondents stated that employee awareness is a barrier to effective IT security. It is one of the unpleasant realities of the constant battle to protect the enterprise. The more you invest in physical and technology perimeters, the more vulnerable the human perimeter becomes, often because of the social engineering techniques used by intruders. Only 52 percent of total respondents had an IT security training and awareness programme.

Employees can be forgiven for assuming that they have no critical role to play in security. Few employees receive regular training, and when they receive, it comes in quantities that they are not be able to digest. The rest receive no training at all. The media focus on the advancements in latest technologies in the world of IT security, and its exaggerated capabilities, may also lead employees to believe that if security technology in place, their behaviour can’t pose a risk. Well-trained and constantly vigilant employees won’t guarantee that the human perimeter will hold against all attacks all of the time, but will certainly increase the organisation’s rings of defence against some of the most common attacks.

It is clear from the survey results that while information security has become a major concern for companies around the world, approaches to the risks are inconsistent and in too many cases insufficient. Companies stand warned that it is potentially irresponsible to fail to place information security on the boardroom agenda, and that many companies may discover too late that significant technical investments are being undermined by inadequate business processes, lack of information security awareness or training, third parties and business partners and the absence of testing and assurance processes.

Sunil R Chandiramani is partner, Ernst & Young. He can be contacted on 022-287 6485/86. The global survey results are available on Ernst & Young’s website at www.eyindia.com
<Back to top>


© Copyright 2000: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in
Mumbai by The Business Publications Division of the Indian Express Group of Newspapers.
Please contact our Webmaster for any queries on this site.