The Hindu Business Line : Top management must know the dimensions of security

Are you surprised by the news of data theft currently raging on? Answers vary. "We're surprised, they're most alarming. This is clearly a matter we need to investigate further in the information commission's office," says Mr David Smith, the Deputy Information Commissioner (UK). The Information Commissioner's Office (www.ico.gov.uk) is the UK's independent authority set up to promote access to official information and to protect personal information.

The reference is to the October 5 report by www.channel4.com in its `Dispatches' programme — that "personal details of hundreds of thousands of Britons are being sold illegally in India, on a vast scale". Nearly 40 per cent of the world's largest companies now have call centres in India, said Channel 4, and spoke of how Ms Sue Turton's `12-month undercover investigation' revealed `just how easy it is to buy secret financial information for as little as £8 — from your address and bank account number to the security code on a debit card'.

Data farming

Infiltrating `criminal networks', Ms Turton had discovered not just data protection breaches but "a new phenomenon known as `data farming' — the unauthorised `harvesting' of personal data to be sold on or exchanged for profit." On this, however, computer experts closer home may not be surprised, it seems.

"Not surprising. This was overdue. If Channel 4 would have not done it, someone else would have exposed such crimes," says Mr Rakesh Goyal, Director of Centre for Research and Prevention of Computer Crimes, and Managing Director of Sysman Computers (P) Ltd, Mumbai. "Data theft happens not only at BPOs but at other IT installations, whether banks or telecom companies, ISPs or Government and other organisations."

Mr Goyal points out how one can get CDs containing data such as `list of bank customers, gold credit-card-holders, limousine-owners, big-tax-payers, mobile-owners and so on for Rs 300-Rs 900,' and asks, "From where has this data come?"

Somewhere in the middle

How does India fare in terms of IT security compared to other countries? "Somewhere in middle. Better than the `real Third-World countries' but worse than many western countries," says Mr Goyal. "Security, including IT security, is a function of mental state and a management process. Technology is only a facilitator. If the top management does not know the dimensions of IT security and/or is not serious about IT security, they are opening the floodgates, inviting the thief, so to say, to steal their IT assets."

Mr Goyal insists that our laws need to be up-to-date, and the culture to follow the rules of law should be reinforced. "Many of our laws are old. Our IT Act, 2000 is 40 IT-years old, because it does not address the existing technology," he rues. "Also, prosecution and judicial processes are cumbersome, delay-prone, vulnerable to corruption, and unaware of legal-technological issues."

What mechanisms can an IT/ITeS (IT enabled services) company install to detect leakage of data? These companies, and also R&D/banks should address IT security by technological implementation, and investing in policies, procedures and human training, opines Mr Goyal. "First, define security policies to make data / information leak proof by using technology." Work for being certified for IT security standard - ISO-27001 (BS7799), he advises.

Is there anything that IT companies can do to prevent the recurrence of incidents such as what Channel 4 has highlighted? "If IT security, both technological and procedural/human is properly defined, implemented and monitored, the risk of Channel-4 type incidents will be reduced considerably," hopes Mr Goyal. "Only, genius criminals will find a way to breach security, not novices, as happening now."

Would insurance cover help? "It may reduce financial liability, but not the loss-of-credibility, customer-confidence and risk of loss-of-business due to bad publicity," reasons Mr Goyal. "Further, it depends on the amount of cover and conditions attached to it. Let's not forget that no insurance company would like to insure any IT installation without reasonable IT security."

More Stories on : Security | Outsourcing

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page