Hard times for easy money

How savvy has corporate India become in preventing crimes in cyber space? There's a slow change in mindset, with companies becoming more sensitive to security needs, finds this eWorld follow-up.

Neha Kapoor

LAST July, eWorld looked at computer-related crimes that occur in various Indian organisations, the extent of damage they can cause, and the preventive measures that need to be adopted.

One of the points that came across last year was that even though the country was riding the ``IT wave'', a majority of its corporates remained clueless about IT security. A year and a lot of hype has since passed. Most of corporate India is still fighting shy of security issues but the good news is that the mindset is changing, albeit slowly.

Change is on the way

``Two years ago, Gartner had carried out a study about the top 10 concerns of Chief Information Officers (CIOs) across 11 countries in the Asia-Pacific. On a general level, security was the topmost concern for most CIOs, but in India, security took a backseat at number two, the top priority for Indian CIOs being completion of projects on time,'' says Ravindra Dattar, Principal Analyst, IT Services, AMCPL, research partners for Gartner, India.

Things are changing, though, with the software industry being the most aware of security threats and taking adequate measures to prevent them compared to other industries such as manufacturing, he adds.

Says Nikhil Donde, Consultant, Global Risk Management Services, PricewaterhouseCoopers: ``The attitude of Indian companies and institutions towards IT security is changing gradually. It will be a slow process though.....you can't expect a company that spends only a few lakhs on security to suddenly be ready to shell out crores.''

``And the most concrete example of this is to be found in the recent Reserve Bank of India (RBI) notice on Internet Banking which makes auditing mandatory,'' says Rakesh Goyal, Director, Managing Director, Sysman Computers.

``Take a look at the statistics from our investigations and you find that the awareness about security started seeping into Indian organisations only during 1999-2000. In 1998-99, we investigated around 76 computer-related crimes which went up to 175 in 1999-2000, compared to 193 in 2000-2001,'' says Goyal.

Click here for Table

Also, companies that have security solutions in place are realising the importance of upgrading from time to time in order to fend off attacks. ``Where it was earlier believed that you could implement security solutions and sit pretty thinking your information was safe, today more and more companies are smartening up to the fact that you need to constantly review security to fend off attacks,'' says Donde.

``So, if this year, companies have a budget for putting firewalls in place, then next year they will allocate resources for reviewing the firewalls!''

Common crimes

``Crimes can be carried out using authorised or unauthorised access, either physically or via cyberspace,'' says Dattar. Citing a few examples of unauthorised access, he says, companies set themselves up for a fall when an employee leaves and

* the company fails to disable the password for the intranet, giving him continued access to confidential information.

* fails to disable the employee's e-mail ID and he continues to receive information.

Crimes through authorised access include, among others, selling of sensitive information for money, using information for personal gains, manipulating or disturbing data, buying passwords from the in-house department and selling it to competitors.

``When executives address conferences and seminars, they use their laptops which invariably contain confidential data. There have been many cases where these laptops have been stolen, resulting in loss of crucial information,'' says Dattar. ``To limit the extent of damage, companies should follow a policy of directing employees to store only current data on personal devices.''

``Another area to watch out for is outsourcing IT.... companies should check out the credentials of the third party to whom projects are being outsourced. There is huge potential to tap into and exploit data transferred to these parties, especially in the case of Application Service Providers (ASPs),'' he says.

``While outsourcing, companies could enter into a contract with the service providers, much like advertising agencies, which restricts them from working for competitors,'' he adds.

Value of loss

The magnitude of loss differs from case to case, says Donde. ``The gravity of loss depends on the nature of business. For a telecommunication company or an Internet Service Provider (ISP), information is a key resource, unlike for a manufacturing business, therefore a security breach would be more grave for such companies.''

Goyal reiterates, ``It is not very easy to pinpoint the exact value of loss. For some cases that we have investigated in banks, the loss runs up to Rs 15 crore in a single case. And in others there is no direct monetary loss, making it difficult to arrive at estimates.''

A long way to go

``The awareness is building up gradually but India is far from a stage where, like in the US, a Chief Privacy Officer (CPO) is appointed by corporates to ensure complete privacy within the organisation,'' Donde adds.

According to Dattar, there are two main hurdles that Indian companies face as far as IT security is concerned. ``One is pure complacence which is evident -- For example in various banks, there is a psychological comfort in believing that a bank clerk doesn't really know much about the technology and therefore cannot do much. Many companies adopt this attitude and become complacent about their systems and their safety.''

``The other deterrent is the cost of security solutions. There are hardly any popular Indian brands of solutions since it takes expensive marketing efforts to establish a brand presence. So companies have to rely on more expensive foreign solutions, which results in lesser number of companies opting for them,'' says Dattar.

``But then again, there are banks that are spending Rs 50-60 crore on computerisation of which negligible amounts are allocated for security,'' says Goyal.

There is the legal angle to be considered too -- the cost of prosecution. ``At this stage most companies would not want to prosecute the guilty party in order to avoid adverse publicity for the organisation. Also, the country is only just beginning to decipher the IT Act and it will take some time to figure out what falls under the purview of the law,'' says Donde.

According to Goyal, ``there are a few ambiguous areas in the Act itself. For example it does not recognise the difference between hacking and ``white hacking''.

The Information Technology Act 2000, Section 66, says: ``Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any other person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hacking.''

``So if a company was keen on employing my services for white hacking, I will not be able to undertake the project because I'm not protected by the law. I can only take on the project if I enter into a contract with the company saying that it has commissioned me to hack into its system and that it will not use it against me unless it can prove that the organisation has been harmed by my negligence,'' Goyal says.

While legal tangles will take their own time to get sorted, what companies can do in the meantime is view security issues more seriously. Says Dattar, ``You need properly-formulated security policies to safeguard your systems. The in-house security department should be kept abreast of any change within the organisation. Companies can also use restrictive-access policies, scrambled convention codes, stronger firewalls and encoding.''

Security needs to be a necessity and not an after-thought. And adopting a comprehensive security policy may be the first step that Indian companies need to take towards safeguarding a vital business asset - information.