Financial Daily from THE HINDU group of publications
Thursday, Jul 14, 2005
Financial Daily from THE HINDU group of publications Thursday, Jul 14, 2005 |
|
|
|
|
|
Opinion
-
Accountancy Corporate - Security Columns - Account Speak Information security is not a custom, more honoured in the breach than in the observance D. Murali
THREATS are increasing in sophistication, even as employees are lacking in awareness and training, laments the `2005 Global Security Survey' on `security threats at the world's largest financial institutions', from Deloitte (www.deloitte.com). Two other recent postings at the accounting firm's site may also be of interest: `Biotech Survey: An analysis of critical factors in alliance formation' and `Executive Report, July 2005: Tourism, hospitality and leisure industry news and analyses'. Reverting to the security survey, Adel Melek, Partner, is happy that last year's report was translated into three languages — French, German and Japanese. It also found its way to The White House, Melek writes in his foreword. "The US President's Information Technology Advisory Committee (PITAC) issued a report, citing one of the Survey's findings regarding security breaches." The 44-page 2005 survey covers `seven aspects of a typical financial services organisation's operations', viz., governance, investment, value, risk, use of security technologies, quality of operations and privacy. Among the key findings in the report is the statement that responsibility for managing compliance is moving away from being the sole task of the legal department. "Compliance is a time-consuming and ongoing exercise that, given the times in which we live, shows no signs of retreating. Organisations that embrace the elements and essence of compliance may be able to re-energise themselves and provide reassurance to their investors." Deloitte notes that many of today's security breaches occur because of internal vulnerabilities caused by "poor new-hire screening processes, lackadaisical subcontractor controls, security-ignorant employees and deficient management processes."
Almost one in three respondents acknowledged that he has done nothing to protect himself from internal wireless communication exposures. "Only 38 per cent run scans to identify rogue wireless networks... only 65 per cent of organisations have trained their employees on how to identify and report suspicious activity." Not many are aware that `pharming' — where a legitimate looking email lures the user to `illegitimate websites' — is on the increase. "The board's interest in security is no longer an option; it is a requirement," declares the survey. It augurs well that 86 per cent of the respondents indicated that the board of directors has knowledge of the risk associated with the organisation. "Today's boards should be taken through a regular exercise to inform them of the organisation's key assets, the risks associated with those assets, and the benefits and criticality of ensuring those assets are secured," is a guidance that is worthy of adopting. On costs and benefits, there is some disappointing news in the survey. "Majority of respondents are still doing poorly at measuring performance... focussing more on costs and returns as opposed to the value the security provides the organisation." Such a value, however, may remain more in the hazy domain for some time to come. IT security hogs around 3 per cent of the total IT budget, though many felt that 6 per cent should be optimal. For the question `what comprises the majority of respondent's security budgets for 2005?' answers were: Logical access control products, infrastructure protection devices, security consultants, hardware and infrastructure, audit or certification costs, and physical access control devices. Purchasing decisions were influenced by total cost of ownership, service and support, and product build architecture, in that order. Though there is a school of thought that Information System (IS) security is a hygiene factor, as much as functioning zippers in what you pull out of the wardrobe, the survey shows that almost half of the respondents felt that "a secure IT environment gives them a competitive advantage". Check if your organisation has in place a `vulnerability management' plan taking into account: " It is vital to remember that the fact that a security breach that is not known to have occurred is no guarantee. On the one hand, organisations may not be aware of the breach; and on the other, "an organisation may choose not to disclose security breaches for fear of tarnishing its reputation", as the survey points out. And that is where law is stepping in. `Do Banks and Other Businesses Have a Duty to Notify Customers of Computer Security Breaches?' asks Anita Ramasastry, Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology, in the day's posting on http://writ.news.findlaw.com. "If someone hacked into a computer database and stole your credit card number, would you want to be immediately notified? Or would you be happy to be informed only if, and when thieves used your number to make unauthorised purchases?" she asks. "In California, such a legal duty already exists: California's 2003 Security Breach Information Act imposes just such a duty. It also specifies that notice must be written, electronic, or via email." Thus, on www.privacy.ca.gov, you can know about the `Office of Privacy Protection' in California Department of Consumer Affairs. "At present, only a handful of other states — including Alaska, Arkansas and Washington — require companies to alert the public," is an update from Ramasastry, even as she argues for a federal law on the subject. It may then be a matter of time that we too think of modifying our laws to mandate breaches to be notified promptly. But Ivan Schneider, Executive Editor, Bank Systems & Technology isn't going to be happy, as I gather from a e-newsletter on http://update.banktech.com. His recent missive blames the media! "It's those headline-hungry reporters, scaring potential customers away from online banking and e-commerce by pointing out that the payments network has irremediable flaws that the industry just can't afford to address," he writes, commenting on `one embarrassing disclosure after another'. It's not as if consumers have to personally bear the burden when their credit card numbers are stolen or when they're tricked into revealing their account details, argues Schneider. "The costs are borne across the entire economy, so there's no reason for any one person to get excited," he adds. "Plus, these things happen all the time, and if the public only knew how commonplace the loss of millions of records actually was, it would hardly be newsworthy, right?" No, he's wrong, I'd say. "The press has to stop using scare tactics designed expressly to sell newspapers. And if they don't stop, the whole lot of them should be jailed for shouting `Fire!' in a crowded chat room," is how the `Editor's Note' concludes, quite intemperately, and thankfully too. For, what Schneider says may be acceptable if IT were merely a custom, "More honoured in the breach than the observance," as Hamlet would tell Horatio.
Article E-Mail :: Comment :: Syndication :: Printer Friendly Page
|
Stories in this Section |
|
The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription Group Sites: The Hindu | Business Line | The Sportstar | Frontline | The Hindu eBooks | The Hindu Images | Home |
Copyright © 2005, The
Hindu Business Line. Republication or redissemination of the contents of
this screen are expressly prohibited without the written consent of
The Hindu Business Line
|