Security

Vulnerable to security threats

By failing to give security its due importance, MBs are vulnerable. As they expand, they need holistic network and perimeter security. By Neeraj Gandhi

Ignorance is bliss is a well-known phase. The situation in which this phrase would hold true is difficult to comment on. But one scenario where ignorance might prove to be a disaster and costly is in the security domain and especially if one happen to be in business and largely dependent on the Internet. With IT becoming the backbone of every business, no enterprise—small, medium or large, can afford to turn a Nelson’s eye towards security. This is because, hackers and viruses are on a continuous prowl in the digital world, and a minor slip can prove to be costly and disastrous.

Talking about security, there are two factors attached to the formation and evolution of a secured infrastructure. What comes first is the growing competence of hackers and viruses to enter into an IT system and their ability to cripple it from within. Secondly, the needs of the enterprise itself to support the growing business and keep its operational environment secured.

The first factor stems from a reactive nature of the MB, i.e., looking for security solutions when viruses have crept into the system. In contrast, the second action highlights the proactive nature of the enterprise. Experts confirm that the organizations following the second path are the ones that are comparatively more secure than those treading the first path.

Sleeping with the enemy

According to the survey, almost all MBs have a basic IT infrastructure in place–like desktops, printers and basic networking. Talking about the adoption of security, 88% of the 194 respondents have said they have some kind of security system in place. However, the type of security solution can vary depending upon the business requirement—from a standalone anti-virus security solution to integrated security appliances for Unified Threat Management (UTM).

Though a considerable percentage of the respondents believe that they have a secured infrastructure in place, what ironically falls under this banner of a secured infrastructure is the basic security solution, anti-virus, followed by PC-based firewall and anti-spam. What is even more astonishing is the percentage adoption of these solutions.

Of 194 respondents, 87% have deployed anti-virus, which also emerges as the most deployed security solution. Anti-virus is the top of the mind solution in the overall security solutions portfolio, hence it is the one that is most frequently deployed. What it essentially does is, it scans the general network traffic and detects the presence of malicious code, preventing the distribution of viruses from the Internet, and ensuring that workstations do not get infected by the virus. Though it is an essential part of the overall security infrastructure, it is not a complete solution in itself to protect a business against all types of malicious code and other security threats.

The survey highlights that once an anti-virus solution is deployed the percentage of other security solutions experiences a steep fall. Compared to the 87% deployment of anti-virus, only 52% had deployed a PC-based firewall, which is also the second most deployed security solution. This; however, leaves a huge gap of 35% between the deployment of anti-virus and PC-based firewall. Ideally, the percentage adoption of firewall should have been much higher and since it is configured to examine and allow/deny each packet that flows into or out of a network.

This affinity towards anti-virus vis-à-vis other security solutions is a characteristic that is synonymous mostly to MBs.

Anti-spam comes next in line with 42% deployment. Spam is perhaps the biggest nuisance one has to deal with in the digital environment. In fact, it recently celebrated its thirtieth birthday. Today, spam has emerged as one of the most dreaded Internet security threats. According to a report titled ‘2008 Internet Security Trends’ released by Cisco and Ironport Systems, spam volumes have risen 100%, to more than 120 billion spam messages daily. What makes it even more deadly is the way it has evolved to deceive all security solutions and enter a network. Therefore, the presence of anti-spam tools assumes cardinal importance.

Anti-spyware and network-based firewall rank fourth and fifth, with 37% and 35% adoption respectively. Other solutions such as Intrusion Detection System (IDS) and content filtering are not given priority amongst MBs. IDS finds acceptance only at 14% of the respondents followed by content filtering with 13% adoption.

An IDS generally detects unwanted manipulation in systems. It is required to detect all types of malicious network traffic and computer usage, which cannot be detected by a conventional firewall. This includes network attacks against vulnerable services, data-driven attacks on applications, host-based attacks such as unauthorized log-ins and access to sensitive files, and malware, viruses, Trojans and worms. There seems to be lack of awareness about IDS, and there is an immediate need to bridge this knowledge gap.

Last but not the least, the final leg of security infrastructure at MBs includes cold site disaster recovery and penetration testing with only 6% and 5% adoption respectively.

The percentage figures represent planned technology penetration /usage within MBs. These numbers may add up to more than 100% since a particular respondent may plan to invest on multiple technologies. Base = 189

Vertical-wise

Among verticals, BFSI emerges on the top with a well distributed secured infrastructure. The vertical is ranked number one in the adoption of six of the total ten security solutions included in the survey. The adoption of anti-virus stands at 94%, followed by PC-based firewall (63%), network-based firewall (48%), and VPN (38%) among other security solutions.

Kotak Wealth Management comes across as a good example of a well-integrated security infrastructure. The company has around 400 employees with an equal number of desktops and laptops (taken together). The company is using almost all security solutions from Trend Micro. “We rank security very high in our IT priority list. Today, given the way we have built out security infrastructure I can say that we are 90% secured. As regards the balance 10%, we do regular checks and take measures to ensure that security is not breached,” said Nagraj Poojari, Manager, IT, Kotak Wealth Management. The company also follows a strict security policy. According to the terms and conditions, employees cannot access personal e-mail accounts, certain other Web sites are also blocked, and there is limited access to USB drives. The company has recently installed security software called SafeBoot [now a McAfee company] on its entire complement of notebook PCs. This software asks for a password when the notebook boots, and if a wrong password in entered, it locks down the machine. “This ensures that no outside user can access any company-related information,” added Poojari.

“On a scale of one to ten, with the higher number assuming greater importance, we rank security at number eight. Having our infrastructure secured is our prime concern. We have around 100 workstations in our office at Delhi, and all have anti-virus installed. We also use a firewall at the server-end. Additionally, we have blocked access to personal e-mail, and even USB drives are prohibited. Access to certain Web sites has only been given to senior employees,” said Kapil Gupta, Linux System Engineer, Pioneer Fincap Pvt Ltd.

The IT/ITES vertical comes next in line. It emerges as the largest adopter of anti-virus with a 95% adoption rate, and anti-spyware with 50% adoption. It also accounts for second highest adoption of PC-based firewall and anti-spam, with 61% and 52% respectively using these solutions. The adoption of advanced security solutions like IDS, content filtering and penetration testing remains in single digits.

The percentage figures represent planned technology penetration /usage within MBs. These numbers may add up to more than 100% since a particular respondent may plan to invest on multiple technologies. Base = 189

The Professional Services vertical, which includes services like consultancy and hospitality, comes in next. This vertical emerges as the largest adopter of Cold Site Disaster Recovery, with 11% adoption. Besides, it is also the second largest adopter of anti-spam, anti-spyware, network-based firewall, VPN, IDS and content filtering. The adoption of anti-virus, which is the most popular solution, stands at 89% in this vertical.

Intercontinental Consultancy and Technocrats (ICT) Pvt Ltd is a company in the design consultancy business. As regards its security infrastructure, it has deployed every solution that has been included in the survey. The list includes anti-virus, anti-spam, anti-spyware, IDS, IPS etc. “We recently upgraded our security and ensured that we have all relevant solutions in place and that all the signatures and patches are updated. We also follow a strict security policy. We have blocked access to all music and video sites, personal e-mail, and USB drives. Only senior employees can use USB after a virus scan,” said Gulshon Kumar Neveriya, Deputy General Manager, ICT.

The manufacturing vertical scores highest is terms of adoption of anti-spam solutions with 54% adopting it. That said, 88% of the respondents in this vertical use anti-virus, followed by 51% who use PC-based firewall. The adoption figures for anti-spyware, network-based firewall and VPN stand at 30%, 39%, and 20% respectively. The adoption of IDS and content filtering are 14% each. Cold site disaster recovery and penetration testing record single digit adoption figures. Largely the security infrastructure within this vertical depends on the nature of work.

“Our work does not involve much of IT, therefore we have only installed the basic security solutions. Presently we are using an anti-virus solution from Symantec. It is installed at the server, and we renew it on a yearly basis,” said Susheel Kumar Bachheti, Assistant Manager, EDP, Bihar Sponge Iron Ltd.

The Wholesale/Retail vertical has not been very security conscious but it is the third largest adopter of anti-virus with 90% of the respondents confirming deployment. PC-based firewall and anti-spyware are at 49% and 29% respectively.

The Utilities/Transportation/ Real Estate vertical is ranked last among all verticals. This vertical records the lowest adoption of anti-virus, with only 84% of the respondents confirming the deployment and hence most vulnerable to security attacks. Even the adoption of PC-based firewall and anti-spam, 41% each, is low when compared to other verticals. The percentage adoption of IDS, cold site disaster recovery, and penetration testing remains in single digit figures.

A low priority

The MB report brings to light a striking revelation in terms of the IT spend among the medium businesses in the country. It states that a little less than 80% of the respondents spent less than Rs 1 Cr on IT. 15% of the respondents spent somewhere between Rs 1- 1.25 Cr. And only 4% spent above Rs 2.5 Cr on IT last year. This expenditure on IT was on the higher side among the BFSI, IT/ITeS and Professional services vertical.

Out of the total expenditure on IT, it is the allocation of funds for strikes an astonishing picture. The survey indicates that at present desktops dominate the pie at 48%, followed by laptops (14%) and servers (5%). Security shares a small pie of the 14% allocated to other IT infrastructure that includes, storage, enterprise applications, services, Internet & communications, connectivity & wireless, cabling & power conditioning, etc. For 2008-09, the portion allocated to other IT infrastructure is projected to grow to 17%.

The survey also states that desktops emerge as the clear winner in terms of acquiring IT infrastructure. 80% of the respondents said that desktops are at the top of their IT acquisition list, followed by 65% supporting laptops, and printers with 52%. In contrast, only 10% of the respondents ranked security as a high priority in the IT infrastructure list. A majority of the respondents- 58%- ranked security somewhere between 4 and 6 in the list of top ten, and a good 33% of the respondents ranked security below seven, on a scale of one to ten, with higher number assuming low importance.

Expanding MBs should take a holistic view of security

The present security situation in the MB segment is quite incongruous. Had it been SBs, which face a financial crunch, and are not aware of the risks attached with inadequate security, then the situation would have been quite understandable. However, it can be inferred from the survey that even in the case of MBs, security is not given due importance.

The fact that the IT budget has increased over the years is a proof that IT is making inroads in this segment as more processes are automated. To some extent it can also be said that the segment is doing well. Security, however, seems to have taken a backseat.

At any given point in time, the data that MBs have to manage is much more than what SBs have to do. In this scenario, it is important for them to realize the importance of a well-built security infrastructure. Large scale adoption of anti virus-coupled with low deployment of other security solutions indicates that medium businesses still believe that an anti-virus solution is all they need to safeguard their business, a perception that needs to be changed.

neeraj.gandhi@expressindia.com