Security

Not so secure

Small companies are not IT savvy and security is not the biggest issue for them which leaves them vulnerable to attacks. By Kushal Shah

Security is the biggest concern for an organisation irrespective of its size. Large organisations have a team in place to tackle security issues and a wide range of software services to help them fight viruses and other intrusions. If we are to talk about medium-sized organisations, they have fair bit of security knowledge and implementations to secure various aspects of business. The biggest issue of security is faced by the most vulnerable breed of the corporate hierarchy, the small segment. With little knowledge about the importance of security and the effects of not implementing the same, small businesses are the hottest and the easiest target for the hackers and the like.

According to the IMRB survey, from the sample of 197 small companies, 153 feel that their security system is in place. Security, however, is just another name given to anti-virus software at these firms. 95 percent of these ‘secured’ companies have anti-virus software installed. The point is how many of these are licensed and up-to-date with the latest virus definitions. Terms like managed security services, IPS (Intrusion Prevention System), IDS (Intrusion Detection System), penetration testing, unified threat management (UTM) and vulnerability assessment are barely known to these companies. On an average, only three percent of the companies had tackled these issues with adequate installations.

Present Scenario

Taking a close look at the security systems of these companies, we find that only terms they are aware of are anti-virus and firewalls. One of the most common and for most of them the only security problem is that of viruses. Most of these organisations run only Word, Excel and PowerPoint applications on their machines. Since few have ERP systems implemented, the need for security policies is less. Most of these companies are currently without well defined security policies and are getting their work done through a handful of people in their IT department. In some cases they do not have anybody to handle IT and rely on vendors or have some third party hired as and when the need arises.

The IT and ITES vertical comes out as least secure with only 55 percent of respondents calling themselves secure. Manufacturing & engineering businesses were found to be the most security conscious with around 46 companies having decent security implementations. “Security is very important for us, without which it is difficult to run the organisation. It is equivalent to physical security guards. Running IT is not possible without securing it,” says OA Balasubramaniam, General Manager- IT, Roots Industries Ltd, Coimbatore. Even in this vertical, on an average, only a couple of companies have adopted high level security methods such as IPS, IDS, penetration testing, UTM and vulnerability assessment.

Sharing the top spot with manufacturing & engineering businesses in terms of numbers is the services segment. This segment even gave a second look at its implementations. With dual anti-virus systems installed due to incapability of a single one to handle all the needs of an organisation and moving from one platform to another qualifies them as good thinkers at least and on top of that it proves that they are monitoring their processes. They didn’t seem restrictive in terms of growth of IT. “We do not have any budget as such for IT but we can spend whenever we need something new. There is no problems as far as expenses are concerned,” says Gita Deshpandey, IT Head, N. A. Shah and Associates, an accounting firm based in Mumbai.

Chemical and pharmaceutical firms seem interested only in basic security functions and none of them has anything more then basic installations such as anti-virus, anti-spam and firewalls. There was one interesting thing to note; some of them had internally developed in-house software for security and did not rely on external vendors for this function and they did all this with only about three-four people in IT. On the other hand some felt that they did not even need an anti-virus package, this is a cause for concern and the management of such companies need to rethink this one.

Decision makers

Not all companies have a CSO or a CFO to make policies and decide upon expenditure. In most of these organisations it is seen that the power to make policies, though hardly any exist, are in the hands of the IT manager or System Administrator whoever leads the IT team. In relatively big organisations they even have a head of operations making purchase decisions. Otherwise it’s the CEO or head of the company who decides about what to buy and what not to. Companies which had a budget allocated to IT had spent about eight percent of that on security and the rest had a negligible budget for it.

Secured areas

With few ERP applications running, the major concern of security is that of protecting data. Almost every organisation was equipped to handle viruses with anti-virus software installed. Few had security policies attached to IT usage within the organisation. “We have Windows group policy to restrict the use of external and internal networks. It varies from person to person. We have Norton installed as the anti-virus and further we have restricted access for SQL Server with user level authority,” says Zahed Siddique, IT- Manager, SL Raheja Hospital, Mumbai. In this hospital, each and every module has been secured.

Many companies preferred a free anti-virus package since their applications and data were not mission critical and regularly backing up the data solved their most of the worries and thus they could save significant amount which they would have otherwise spent on a licensed bundle of software. Companies such as ETV Gujarat, Tube Weld use free products such as AVG anti-virus.

There were a few companies going for double security of their applications by implementing more than one anti-virus solution. SMIFS Capital Markets Ltd of Kolkata has multiple vendors securing its systems—Symantec and Quickheal. “We have a dual implementation for the simple reason that none of these products are cent percent reliable,” says Siddhartha Banerjee, IT- Manager at SMIFS capital Marketing Ltd. They even had Norton Firewall to restrict external traffic. Symphony Comfort Systems Ltd of Ahmedabad also trusted the same two vendors to secure its Tally and FoxPro data in addition to Office files.

Once again talking about in-house software for security, Arbro Pharmaceuticals uses it to secure its IT set-up with the help of three-four people working in IT department. “It is essential for any organisation to secure operations and stop viruses. We are trying hard but many problems occur,” says LM Kaushal, Deputy Director, Arbro Pharmaceuticals, Delhi. He complains about viruses getting through the system even after having a good set up and is planning to hook up with Airtel for better security through their firewall.

Few companies had a good vision for their security policies. Roots Industries had all of their processes secured. System management, Asset management tool were implemented to help system administrators. Software management ensures that no one has installed unauthorised software onto a machine. If attempted, an alert is sent to the concerned person. Virus threat and intrusion detection systems ranked at the highest level of their security concerns.

We talk about security policies, but companies such as Unjha Pharmaceuticals do not even have an anti-virus solution installed but at least they have the intension of buying one. One thing small companies lack is awareness. Not everyone knows about the benefits of using protective technologies and the disadvantages of not using the same. Most IT and ITES companies did not have well defined security set-ups, maybe for the reason that Internet access is restricted in such companies. The thing to note here is that viruses do not only spread through the Internet but also via computer connectivity and optical or flash media. A simple study on security might get them on track vis-a-vis the benefits of security.

What needs to be done

A small investment with a bit of planning would do no harm to any company if it secures its operations. Every single organisation relies on data. It is considered the biggest asset for any company and if things go wrong with data then the business comes to a standstill.

Firstly small companies need to analyse their business and the security needed for it accordingly. After which the next step is to implement security software which can deal with various threats in order to take care of networks, Internet, e-mail and other data.

One of the easier ways is to educate your employees about security issues and to install adequate solutions which will beef up the environment. In the age of the Internet where every business relies on it, Internet security is a must particularly with regard to applications such as instant messaging (IM) which is the fastest and the easiest ways for hackers to attack.

All these security issues can be tackled with the right software for the same which needs to be chosen as per the needs of the business. Every security product vendor takes this segment seriously since it is the most vulnerable of the lot. They have separate products dedicated to small businesses. Surfing through their Web sites will give a good idea about what needs to be purchased depending on need and budget.

For those who do not wish to spend, you always have free software such as AVG anti-virus and low cost providers too.

The right education and intelligent steps to streamline security policies will help small businesses secure their operations in a well defined way and facilitate their journey from small to medium to large.