/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsIncreasing cases of identity and data theft are becoming a major cause for
concern across organizations and individuals alike. They're causing
financial loss, data loss, and not to mention loss of credibility and
reputation. We surveyed 80+ CIOs across India to find out how seriously they
tackle Information Security threats. We also believe that securing data is
everyone's responsibility and tell you how to go about doing it.
Before devising a plan to secure your information, you need to understand the
current security landscape and the risks it involves. So in order to understand
what's currently happening, we surveyed 80+ CIOs from across the country to find
out their understanding of the subject, and what they were doing about it. The
results we got were pretty interesting. Here's the first one:
|
65% |
Of the CIOs felt that security threats have become more dangerous than ever before. |
|
30% |
Felt that security threats are just a nuisance, and not really dangerous. |
The surprising element in the above is the 30% CIOs, who feel that security
threats are still a nuisance. Had that been the case, then cyber crime would not
have been a multi-billion dollar industry. Clearly, cyber crime is on the rise
because there are monetary gains involved. According to various research reports
from key security vendors, most cyber crimes today are targeted at stealing
critical data for financial gain. This trend is only expected to grow, and the
sooner we accept this fact, the better it will be as we would then be in a
better position to combat it.
|
42% |
Of the CIOs had less than 10% of their IT budgets devoted to information security. |
|
19% |
Had 10-20% of their budgets devoted to information security. |
|
25% |
Didn't have a separate budget for information security. |
The good thing though is that the level of seriousness amongst Indian CIOs
with respect to information security is pretty high. Even the top management in
most organizations understands the possible security risks and what kind of an
impact they can have on the organization. However, this doesn't directly
translate into allocating a significant part of the IT budget on information
security. The data on that suggests the following:
The rest of the CIOs didn't give a clear indication about their information
security budgets. There was another key trend that we observed from the survey,
which is even more interesting:
|
94% |
Of the CIOs had deployed anti-virus software in their enterprise. |
|
47% |
Spent most of their time in combating virus attacks. |
The above clearly indicates that anti-virus software is not completely
effective in combating security threats. Despite having it deployed, viruses
manage to creep in and cause havoc. It's important therefore, to understand how
viruses still manage to creep into the system, despite having so many solutions
in place.
So now, we'll focus on some of the key security risks that are heating up.
Entry Points for security threats
There are a larger number of channels through which malicious code can
enter.
/pcq/media/post_attachments/2bb6c6beed571bf18dfa6f5d0bbd202fcbe80e624fdedee2fb3590f72d194e3a.jpg)
Security threats can come from anywhere, be it outside or inside the network.
information can be stolen from anywhere, be it your network, desktops, servers,
Internet portal, wireless network. Therefore, you need to first identify the
possible channels from where information can be stolen-USB ports, remote access
to systems, wireless networks, VoIP, laptops, smartphones, etc. Information can
be stolen from most of these channels. Here's the state of affairs as far as
Indian enterprises are concerned:
The above graph is quite interesting. It shows that 61% organizations use
secure wireless networks. What this means is that the remaining 41% either don't
have wireless networks or use wireless networks that are not secure. Likewise,
if 40% organizations allow open usage of flash drives, then they are obviously
in danger of information theft. And if 56% of the CIOs provide remote access for
their organization's employees, there is a chance of information theft. The real
interesting ones are open access to public IMs and open usage of USB drives.
Free access to public IMs means employees can send whatever information they
want to anybody. Let's analyze this in more detail.
How vulnerable are USB ports?
USB ports have become the default interface for just about every device you
plug into a PC or laptop today. While they've increased the convenience, they've
also increased the security risk. USB flash drives for instance, are commonly
used to carry/share data. This has also made them the most common cause of
spreading virus infections. The Conficker worm, which has been in the limelight
for quite some time now, spreads itself through USB drives, among other channels
of course. The University of Utah recently reported that 800 machines on its
network were infected by the worm, all because somebody brought a USB drive
infected with Conficker, into the network. Even if you can prevent virus
infections on USB drives by keeping anti-virus software updated on all systems,
how will you prevent somebody from walking away with important information on a
USB drive?
/pcq/media/post_attachments/3cabdfc3d5127efde315689c26ccbe00877ce721bc22ecbb0b529c1ac715bb21.jpg)
Besides flash drives, USB ports can also be used to connect devices like
Internet data cards. While this makes it easy for your mobile workforce to
connect to the corporate network, or use the Internet when on the move to check
important mail, it also makes it easy to leak information. Given that the
current economic slowdown is causing a lot of employee lay-offs, USB ports could
be considered as a security threat.
Emerging Security Threats |
Data Security Isn't Enough, Let's Get Physical |
Donning the GLOVes of An Investigator |
Does this mean that you should block all USB ports on all machines in your
organization? There are solutions to do that, but before you do that, it's
important to understand the implications. While you prevent information theft or
virus infection, you're also taking away the convenience that most employees
have enjoyed. This could therefore reduce employee productivity.
So if you do plan to block all USB ports, first look for alternatives.
Revisit all access control rights and be more stringent on who has access to
what resources. Ensure that the common network location for file sharing amongst
employees is cleaned up more regularly than before.
Security incidents over past few years
Users are a key asset for every organization, but they're also the most
vulnerable point of entry. It's easier to cajole a user into delving important
information than breaking through a firewall. This makes educating users of
various security threats extremely important. However, it's not as easy as it
sounds. Have a look at the following result from our information security
survey:
You'll notice that laptop thefts are at the top of the security incidents
list. This obviously means that users have to be more careful and stronger focus
needs to be put in training users on how to protect their laptops. The second
one is about theft of confidential information. This could be caused by weak
passwords or authentication, but they could also be caused by disgruntled
employees walking away with confidential data on USB drives. The fourth one is
another direct link to users-identity theft.
Is User Training the Answer?
If educating your users could resolve the problem of incoming security
threats, then no organization would be combating so many security threats today
and facing major financial losses. It would be the end of security threats and
everyone would be sleeping peacefully at night. But unfortunately that's not the
case. The thing to observe here is how much to really expect from your users? Do
you seriously expect them to remember long, complicated passwords without
writing them down somewhere? Or do you expect them not to open an attachment
that pretends to come from their
boss? Or click on an email that comes from a bank where they don't have an
account?
/pcq/media/post_attachments/13d21c4126fb562c641fb05a06bf4ce22ab753ea86cd097e11e5f3a012de1774.jpg)
Every single user today has dozens of passwords, and it's impossible for them
to keep track of all of them without writing them down somewhere. Using the same
password for all applications is anyways a bad idea, because if it gets hacked,
then the hacker gains entry into all of the user's apps. So obviously every user
today is expected to remember multiple passwords. Now, if you make the passwords
too complex so that they're difficult to hack, then you're also making them
difficult to remember. So a user would obviously have to write them down
somewhere. You could teach the user to store his/her passwords in a 'password
protected' document or implement other mechanisms like fingerprint scanning,
card scanners, etc.
|
44% |
CIOs faced less than 5 serious security breaches over the past few years. |
|
15% |
Faced 5-10 serious security breaches/incidents |
|
7% |
Suffered from 20 to 100 |
|
25% |
Of the CIOs said that their organizations had suffered from financial loss due to a serious security incident over the past few years. |
Likewise, you can't expect every user in your organization to go through your
security policy every time they want to check an email or access a website on
the Internet. Nor can you expect the user to remember the dozens of points
you've written there. So you obviously need to strike a balance between user
expectations and your security policy. If there are too many mail attachments
floating around, which could be a potential security hazard, then implement a
software that removes them from all incoming emails, delete the obviously
suspicious ones like those with .exe extension, and then put the rest in a
folder on the network. The user could then get the email with a link to this
attachment or if it was a potentially dangerous one, then get the message
indicating so. This way, you've removed the hazard of leaving it to the user to
figure out whether the attachment is legitimate or not. Or should we say, you've
no longer left it to chance. In fact, long time ago, PCQuest had given the
prestigious Best IT Implementation award to ICICI Bank for implementing such a
mail attachment stripping solution.
Before you implement a security solution
The answer to this is of course to first identify what kinds of security
threats are you fighting the most? Where are you spending most of your time?
Only then, can you identify the right solutions to deploy.
So, as per the above, organizations are spending most of their time combating
virus attacks, despite having anti-virus software in place. This obviously
indicates the need to train users on how to identify suspicious activity that
could be linked to a virus attack. Likewise, they have to be trained to identify
spam, because that's the next biggest threat that CIOs spending most of their
time fighting.
|
69% |
Of the CIOs had a documented security policy. |
|
21% |
Didn't have a documented security policy. |
Besides identifying the areas where most of the time is going, it's equally
important to identify the major security incidents that have happened in your
organization and their financial implications. For instance, this is what our
survey says:
/pcq/media/post_attachments/ced899fa5270205a867ced62d6616cbb646261e9d04913177cb889afb2fd5cd9.jpg)
As you can imagine, organizations are facing serious security breaches, which
require attention because they involve financial loss. This loss can be quite
severe. In fact, 8% of the CIOs admitted to having suffered losses to the tune
of several Lakhs of Rupees, while another 13% admitted to having faced loss of
reputation and credibility. However, the more unfortunate part was that 24% of
the respondents had no concrete method of measuring losses caused by security
incidents. This is obviously not an easy job. One way of doing it could be to
measure the amount of downtime you've experienced and the productivity lost as a
result of that. This could be equated with the salary of employees that have
been affected and then the total loss could be calculated. The way to measure
loss would be different in case data gets stolen. That would be more difficult
to calculate.
Importance of documentation and Standards
However, security solutions alone aren't enough. You also need
well-documented security policies, and moreover you need to conduct regular
formal assessments of your network. Our survey revealed the following facts
about the documentation of security policies:
Having a written policy is always a good idea and we can't stress enough on
its importance. But even more important than that is to visit it regularly and
keep updating the same. For instance, suppose that despite having a documented
policy, you keep getting recurring security threats. In such a case, you need to
find a solution to that threat, and update your security policy on how you
combated it. We already gave the example of email attachments when we discussed
the importance of user training.
/pcq/media/post_attachments/a1c5cd9675b43b2a4e055317f67b49b67de869f879f5b15dfb4d39b82006c529.jpg)
Besides documentation, you also need to conduct regular assessments of the
security of your network. Since your IT infrastructure isn't static, how can
your security remain the same? Security threats are increasing, and so is your
IT infrastructure. Beyond a certain point, even policies and re-assessments may
not work. That's where you would need to start exploring security standards.
Today, two key security standards exist for information security. These are
BS7799 and ISO27000 series. There are quite a few organizations that haven't
deployed these standards. Amongst the two, the ISO standard seems to be more
popular.
Which Solutions to deploy?
There's a whole range of security solutions available, which you can deploy
to combat information security threats.
/pcq/media/post_attachments/210948f0181c5d9d2a25e208a5c4f85059294e495984d3c53bd082d5445fbb4a.jpg)
The current state of affairs amongst Indian enterprises is that 94% have
anti-virus software and firewalls. It's surprising that 13% of our survey's
respondents didn't have anti-spam solutions in place. Email security seems to be
surprisingly high at 79%, and same goes for Intrusion Prevention Solutions at
69%. The remaining information security solutions, which would become extremely
relevant in the times to come have low levels of deployment. Hard Disk
encryption for instance, is there only across 15% of the enterprises we
surveyed. This is extremely useful in preventing your data from getting mis-used
should your laptops get stolen.
| Protecting Sensitive Data From Loss with DLP Solutions |
| Information no longer resides inside the four walls of an organization given the business outsourcing scenario. Any leakage of information can cause you to lose not only money but also credibility. So, apart from securing PCs from viruses, spyware, etc what seems very important for an organization is defending data against all vulnerable ends. And this is now becoming a big concern for many enterprises. A couple of months ago, there was news around a BPO employee who stole some sensitive data of the client and as a result, the organization lost its credibility and so the clients.
Data loss protection or DLP is the term that is The issues are endless when it comes to DLP. They provide them solutions which exactly The network based DLP systems comprise |
An analysis of the CIOs' plans on what to deploy in information security gave
us hopes for the new solutions. 41% of the respondents were planning to deploy
hard disk encryption for instance, while another 49% were planning to implement
data loss prevention solutions. We've given a detailed overview of this new
technology elsewhere in this story. Here's the rest of the solutions that CIOs
are planning to deploy:
How to choose the right solution
Sometimes the solution may not lie in a fancy, expensive piece of security
solution at all. So before you go all out to deploy every new security product
or technology, wait and watch. Wait for some time to see whether the product or
solution has managed to withstand the test of time. During this period, watch
who all are deploying it. After that, ask the vendor to give you some customer
references, and then decide whether it's really worth deploying or not. It's
very easy to get taken away by fancy words that are published in research
reports of well-known agencies or get caught in the glossy brochures of vendors
who claim that their product or solution is the best thing that happened to
mankind since brown bread. While it's important to go through them, they should
not form your basis for purchase decision making. Before you decide to invest a
huge amount in a security solution, ask around. Find some experts with hands-on
experience. Determine what kinds of challenges did they face while deploying it,
and whether the experience was pleasant or otherwise.
Anil Chopra,Anindya Roy, Rakesh Sharma, Swapnil Aroa and Varun Jaitly