India Inc. is still not completely secure

While Indian businesses no longer think that security starts with an anti-virus solution and ends with a firewall, basic maturity and awareness about information security among Indian organisations is still quite low. Till Indian businesses realise that security is an amalgamation of people, processes and technology, security breaches will continue to be the norm rather than the exception, says Srikanth R P

Are Indian businesses secure? Take a look at the following statistics: According to the CII-PwC Information Security Survey 2002-03, around 37 percent of security breaches were caused due to primitive levels of security lapses. This figure is almost four times as compared to the InformationWeek Global Security Survey. Further, unknown methods of attack, which resulted in security breaches, are approximately three times more frequent in India.

Niraj Kaushik believes that the SME sector holds big potential; Trend Micro is targeting 30 percent of its revenues from this segment

While most organisations feel they’re secure after they have installed a firewall or an IDS solution, the CII-PwC survey highlights another interesting statistic. The survey states that only 16 percent of security breaches are identified proactively by using tools such as firewalls or an intrusion detection system (IDS). In most cases, the breaches were detected only through actual damages. This clearly shows a trend of reactive measures instead of proactive ones and that security awareness is still quite low.

Says Sivarama Krishnan, principal consultant, Global Risk Management Solutions, PwC, “Security breaches are on the rise. As much as 80 percent of survey respondents have reported security breaches during the last 12 months. The average downtime for all security breaches is at an alarming level of 29 hours. This indicates that a lot of effort needs to be put in by organisations in India to strengthen their security.”

While security breaches continue to be higher than the global average, awareness about comprehensive security policies is gradually increasing in Indian organisations. According to the CII-PwC survey, 41 percent of the Indian companies have a comprehensive security policy in place. This is a sharp increase compared to a figure of only 17 percent from the previous year’s survey. Similarly, about 74 percent of Indian companies have increased their security budget (46 percent globally), as compared to the previous year.

But despite the increasing number of organisations having a comprehensive security policy in place, security breaches happen on a regular basis. Security breaches happen because security policies are not updated regularly.

Says Terry Thomas, partner–Risk and Business Solutions Practice, Ernst & Young, “92 percent of organisations in India who participated in Ernst & Young’s ‘Global Information Security Survey, 2003’ believed that information security is of high importance for achieving their overall objectives. However, more than a third of all organisations were not confident of the IT security controls placed in their organisation.”

Additionally, organisations have invested in point solutions without understanding the importance of integrating different solutions from different vendors. This leads to a gap in the infrastructure, leaving organisations vulnerable to breaches.

Says Anil Menon, senior vice president, SecureSynergy, “My view about security revolves around the basic premise that security has to be an amalgamation of people, process, technical controls and management controls. This comprehensive view is missing in most organisations, leaving gaps in the secure infrastructure that they believe they have. However, there is a small shift from purely technical controls to an emphasis on productivity, people and processes.”

The emphasis on productivity can also be seen from the fact that many organisations are hiring external consultants to check vulnerabilities on their systems.

Says Peter Theobald, CEO of IT Secure, “Rather than going in for solutions right away, customers are preferring to undertake a security audit and a vulnerability assessment to see where they are currently placed in terms of security. Priorities can then be set as per available budgets since everything cannot be done at once.”

Key trends

While security was once seen as something that would never be outsourced, corporates are gradually giving away parts of their security functions to external service providers. Says Sivarama Krishnan of PwC, “A majority of the Indian organisations have not subscribed to managed security services. However, security functions towards maintenance of IT infrastructure have been outsourced as part of normal IT outsourcing. Currently, security functions like management of firewalls, network and host intrusion detection systems, managed VPNs and vulnerability testing are getting outsourced.” But the important point to note here is the fact that these services are currently being provided by appliance vendors who are usually niche market vendors with a low-priced service offering built around an IDS or firewall appliance. The players missing in the action are the full-service vendors who offer the entire spectrum of security solutions, including firewalls, anti-virus, IDS management and monitoring.

Adds S R Kannan, head, Enterprise Security services, Sify, “Indian companies have been outsourcing security functions in a piecemeal manner until now. This spans one-time consulting, implementation of various security products or a computer security incident. This is because outsourcing the entire security infrastructure would not only require a vendor with sizeable experience within this niche market but would also mean sharing of administrative rights to mission-critical resources (such as database servers or production servers).” However, Kannan believes that with security solutions becoming more complex day by day, even Indian organisations would start outsourcing their security needs. This trend can also be seen from the data verified by a CII-PwC survey conducted last year. The survey found out that around 25 percent of respondents were eager to outsource their security requirements.

Another big potential market that is attracting every vendor is the small and medium enterprises (SME) segment. It is estimated that around 44 percent of total IT spend comes from SMEs. Given this potential, vendors are naturally optimistic about increasing revenues from this sector.

Says Niraj Kaushik, country manager, Trend Micro India, “Our recent product launches are testimony to the fact that we are very serious about the SME segment. In fact, we are targeting close to 30 percent of our revenues from this segment alone this year.”

Increase in speed and complexity of attacks

One more noticeable trend in the last year was the increasing number of security threats and publicised vulnerabilities. From the virus point of view, there were quite a few famous ‘virus’ attacks that caused significant damage.

The virus attacks began with Slammer in January and BugBear in June, followed by Blaster and Sobig in August. Additionally, there were frequent security alerts released relating to buffer overflows in major applications.

Additionally, the speed of virus proliferation with the advent of the Internet has reached phenomenal levels. Take a look at the following statistics. In 1990, the Form virus took a year to spread across the Internet. In 1995, the Concept Macro Virus took two months. In 1999, the Love Bug virus took 9 hours. In 2001, Code Red took two hours, followed by Nimda, which took merely 30 minutes to spread. This gap reduced further when it took SQLSlammer just ten minutes to spread across the Internet in January 2003. Just like a security policy that needs to be updated regularly, even anti-virus solutions and applications need to be patched regularly. But patching regularly is not a simple process. Firstly, there are too many patches to track. Additionally, IT administrators are still not sure on the order in which patches have to be installed and whether the patches have been applied properly. Vendors like SecureSynergy have been quick to spot this opportunity and have launched specialised products to handle the management and application of patches.

Technology trends

Anti-virus solutions are no longer considered desktop-based products. This explains the shift from most vendors towards providing anti-virus solutions at the gateway. Says Niraj Kaushik, “A desktop-based anti-virus solution deals with only a copy of the infected file with the original staying at the mail server. If the server is not protected, the virus can replicate and cost a company millions of dollars in clean-up costs and loss of productivity.” Besides, corporates are now moving towards maintaining a centralised solution where updates are easier to be applied.

Says Rajendra P Dhavale, consulting director, Computer Associates India, “With a wide array of security point-solutions being deployed, there is a need for a security command centre that will enable enterprises to integrate security operations under a common point of control.”

Similarly, organisations are also combining different security functions into integrated products. For instance, Symantec has a solution christened ‘Symantec Client Security’, which integrates anti-virus, firewall and intrusion detection systems to ensure security policy enforcement at the client-level.

Spam has also become an issue of relevance to most Indian organisations. Most anti-virus vendors today provide specialised solutions to combat Spam. Trend Micro recently launched the Trend Micro Spam Prevention Solution, which promises to stop malicious Spam at the Internet gateway. Similarly, Computer Associates has a solution called eTrust Secure content management, which not only addresses Spam but also protects the organisation against viruses and prevents unacceptable use of the Internet by employees.

Says Kartik Shahani, sales director (India), Network Associates, “Around 25 percent of all e-mail received by organisations is Spam. Apart from the nuisance factor, Spam also consumes precious network bandwidth and data storage, which could have been utilised to conduct business-critical activities. Given this trend, we see a huge opportunity for our anti-spam solutions.”

The fact that Spam has become a core area of interest for customers can be seen in the maturity of the product offerings from different vendors. Take a look at Network Associates, which offers anti-Spam products that can fit in the needs of a company (according to policy), a specific employee (users can configure their own anti-Spam lists) or even the average home user.

Customers too are becoming more aware about the type of anti-virus solution they should buy before going in for a purchase. Says Vinod Kumar, managing director, Satcom Infotech (whose firm represents anti-virus firm Sophos in India), “The key difference in the approach of customers today is that they do not have to spend time justifying the need nor do they blindly purchase an anti-virus solution by brand name. They spend a lot of time evaluating different solutions and are always open to change.”

Industry analysts also believe that there is a need for organisations to move on to intrusion prevention systems from intrusion detection systems. Explains Ambarish Deshpande, head–Channel and Consumer Sales, Symantec India, “Threats to organisations come from a variety of sources, making it difficult to achieve adequate protection since one source of threat may bear no similarity to another. Intrusion prevention systems can provide diversity by identifying inappropriate activities occurring on networks and host systems.”

With mobile computing catching on in a big way, more and more companies are looking at VPNs for providing their employees remote access to their intranets. On the VPN front, there is a movement from the traditional client-based VPN to clientless VPNs. Clientless VPNs enable the user to log on to a corporate network from anywhere in the world with no pre-requisite for a client software to be installed on the PC.

Another key trend observed that is likely to become stronger is that businesses are going in for an integrated security appliance that performs a host of security functions, namely, anti-virus, firewall, VPN, content filtering and IDS/IPS in addition to providing network monitoring tools. Another noticeable trend is the fact that network equipment players like Cisco, D-Link and Nortel have started bundling in security functions with their products. Additionally, there are specialist players like NetScreen who provide integrated security appliances that come integrated with firewall, intrusion prevention, anti-virus, SSL as well as traffic management capabilities.

While it’s a common belief that enterprises prefer best-of-breed products, what matters even more is lower total cost of ownership (TCO) and ease of management. Separate security devices are not only resource-hungry, but managing them effectively and efficiently is turning out to be a major challenge for IT heads. This is the market that network equipment vendors and specialist players like NetScreen are looking to tap in a big way. And similar to the global trend, even Indian enterprises have started looking at adopting integrated security devices, which have no problems of integration and are easier to manage. Says Sanjiv Verma, sales director, ASEAN, NetScreen, “India is the fastest growing market for NetScreen in the ASEAN region last year and is now contributing a significant portion of our revenues.”

Conclusion

In summary, one can say that with changing needs, the definition of what a particular product should do is undergoing a sea change. As Dhavale of Computer Associates says, “Anti-virus would no longer just remain as anti-virus but would become a hybrid solution offering various other functionalities like Spam control, vulnerability management and policy compliance.” One more trend that is just taking shape but could become more pronounced over the years is that of customers demanding service level agreements from service providers.

The future of security products could be one as envisaged by Kartik Shahani of Network Associates: “In the future, we would possibly have products that come with artificial intelligence built-in, based on embedded technologies. This would allow them not only to take pre-emptive action against an attack and learn from mistakes but more importantly, in taking the right steps to avoid similar mistakes in the future.” While India Inc. is still low on the awareness front, the positive signs can be seen from the increased amount of online products across a range of sectors being launched and the increasing number of companies having a comprehensive security policy in place.

srikanth@expresscomputeronline.com

Is India’s sunrise industry secure?

Security in the ITeS/BPO sector is a significant issue as these firms have to understand the twin issues of enterprise security and consumer privacy. Industry analysts say that captive firms of international organisations are relatively more mature as they are driven by their parent’s international practices. But if you compare the average, adoption of international standards like HIPAA, BS7799 or the Sarbanes Oxley Act is still restricted to a few companies. Says Anil Menon of SecureSynergy, “Adoption of standards like HIPAA, BS7999, Graham Leach Bliley and the Sarbanes Oxley Act are restricted to few companies and these numbers would fall in single digits among a base of more than four hundred companies. And if you look at standards like the SAS 70, which are important for service organisations, the number is not more than one or two. This will need to change as the US will tighten its roll out of homeland security provisions and we can expect Europe to follow suit.” Most industry analysts Express Computer spoke to believed that the policies currently being used by companies in the ITeS/BPO segment currently focus on technology issues and related corrective measures like appropriate use of e-mail, system administration and network administration. Says Krishnan of PwC, “Most ITeS/BPO companies that have a comprehensive policy have not addressed critical business-oriented elements such as risk assessment, data classification, procedures for partners and employee security awareness. Thus, in spite of having comprehensive security policies, organisations often do not confirm to international standards like HIPAA or certification requirements like BS 7799.” The fact that the ITeS/BPO industry has a long way to go with respect to following international practices can even be seen from a preliminary survey conducted by Nasscom and KPMG to access the business continuity management (BCM) preparedness of the Indian software and services sector. The sample size of respondents comprised of respondents from both the IT services and the ITeS industry segments with 77 percent of respondents belonging to IT services, 13 percent belonging to ITeS and 10 percent of respondents operating in both. The report points out some alarming statistics. Nearly 75 percent of respondents reported absence of dedicated resources for BCM. While nearly 84 percent of respondents surveyed agreed that the demand for BCM has increased manifold, only a meagre 29 percent had a documented, corporate-wide and tested BCM plan in place. This indicates that even after incidents like 9/11, there are few takers for BCM in India. As the Indian software services industry started following the quality mantra to differentiate itself against the competition, industry analysts believe that the ITeS/BPO industry too should look at adopting regulatory standards and certifications for competitive strength. Says Krishnan of PwC, “Apart from the perspective of regulatory compliance, BPO organisations have increasingly started to look at information security and compliance with different legislations, standards and certifications as marketing tools that could provide them with a competitive advantage.”

Trends in security

Positive factors * According to the CII-PwC security survey 2002-03, 41 percent of Indian companies have a comprehensive security policy in place. This is a sharp increase compared to a figure of only 17 percent in the previous year’s survey. * About 74 percent of Indian companies have increased their security budget (46 percent globally) as compared to the previous year. * There has been an increase in the number of online financial products being launched, which shows an increased amount of confidence in the online medium. Negative factors * According to the CII-PwC Information Security Survey 2002-03, around 37 percent of security breaches were caused due to primitive levels of security lapses. This figure is almost four times as compared to the InformationWeek Global Security Survey. * The same survey states that Indian organisations that have a formal security policy often have very low security effectiveness on the ground level. Only 40 percent of respondents believed that their security is highly effective and 17 percent of respondents do not feel secure in spite of having a security policy in place. * Only 16 percent of security breaches are identified proactively by using tools such as firewalls and IDS.