Financial Daily from THE HINDU group of publications
Monday, Jun 13, 2005

Port Info

Group Sites

eWorld - Security
Columns - Security Musings

Beat back the bugs

R.K. Raghavan

New viruses and worms are on the prowl. There's also theft, and loss of data. Companies need to apply smarter security practices.

IT is a trying time for those whose job is to fight viruses and worms that are out to destabilise your computer systems.

Last year, we had the most publicised and discussed Sasser. The German youth responsible for authoring this deadly worm is to go on trial in the next few days. We also had a series of other attacks: Slammer, BugBear, Blaster, Sobig and MyDoom.

The current year has also been eventful. The past few weeks have given us moments of anxiety that all is not well with the cyber world.

We first had the Sober worm harassing us with spam it was spawning at an alarming frequency. As I write this column, there are reports of a wave of variants of the Bagle worm that was first identified in 2004. MessageLabs places the number of mails affected by Bagle at more than 850,000.

Imagine the time and money lost in fixing these problems every other day. I am no pundit in viruses and worms. Those who are knowledgeable say there is precious little we can do to prevent attacks.

We can, however, fortify e-mail servers, proxy servers, desktops and laptops. A round-the-clock control room manned by a team of energetic and specially-briefed employees needs to be on the job to watch out for strange happenings on the system and also to act on alerts issued by anti-virus firms.

Companies that do not guard themselves with such a focused and fleet-footed action group may have to pay a heavy price in terms of extended downtime.

Virus attacks are no doubt serious and aim at distorting data or bringing online operations to a standstill.

Data theft — another worry

Perhaps more worrisome to the boardrooms, especially of service industries, are blatant thefts of data. LexisNexis, information-provider on a variety of sectors to a host of customers, announced in April that it had lost data pertaining to 310,000 US residents.

According to Gartner, the renowned IT research organisation, what was significant about this identity theft episode was the considerable time taken to arrive at the precise number of persons who had been directly affected.

Less pardonable is the physical loss of stored up data. The Bank of America was quick to admit, that in February this year, some tapes carrying customer and account data of more than a million US Federal workers had been lost in transit to a back-up data centre.

One can fault the bank for using a commercial airliner to convey the tapes. But then it was possibly the most cost-effective means.

And just last month, it has been reported, CitiFinancial lost a box of computer tapes containing information on 3.9 million customers.

What it all adds up to is that organisations handling sensitive data need three-fold protection: from malicious software (virus, adware, spyware) daring identity theft by those who can profit from sale of such illegally obtained data to the underworld and loss of data, either by negligent staff or a negligent carrier (as in the case of Bank of America).

There is unfortunately poor understanding of this grave situation from some who ought to know and whose longevity at the top is intimately connected with protecting systems and data.

How do we get to know what corporate functionaries think about information security? Is the popular impression that the latter are apathetic correct? Not really. Survey results are mixed. They point to awareness as well as indifference, especially when customers do not crib about lax security.

The surveys that I know of are imaginative and focused, although I will not exaggerate their validity. They no doubt carry sufficiently meaningful analyses that should educate and motivate business leaders.

I am generally impressed with the CII-PwC survey of 2002-3, the Ernst & Young's of 2003 and the Quocirca's released May this year. I would not like to tire readers by cataloguing all the conclusions. The general sense of what the surveys found was that there is a lot more that companies can do to protect their information assets.

Not all companies have an IT Security Policy Document. This may not, however, make much of a difference in terms of the rise or drop in numbers of breaches.

But the existence of a policy document does give employees a clearer perception of what they should or should not do if they want to upgrade information security. It further gives them an idea of the source(s) of threat of an attack. Not many companies have a proactive procedure that will look for and identify attacks before the damage is done. Money is a factor that weighs heavily with some, while considering whether or not to opt for a periodical audit of their systems.

What is most amusing is the reluctance to permit an outside agency to do the audit, because of a possible exposure of practices within a company to the outside world.

There is, nevertheless, a growing trend of companies outsourcing security at a considerable cost. This is not merely an honest admission of a lack of internal talent.

It is also the outcome of a professional assessment that this is too important an area to be left to an internal group that has too many demands on its time and cannot bring in the best practices in the field, normally known only to a security consultant who has access to information on new tools and happenings across industries.

`Managed security services' as a viable concept has come to stay, and I see no way out, especially for the smaller firms that need nothing less than state-of-the-art security if only they are to move forward with their expansion plans.

One word of caution to those who consider IT security an unimportant activity. Recent experience is, the present day viruses and worms are deadlier than those of till a decade ago. They act much faster and naturally cause the greatest damage before they are identified and chased away. Is this not reason enough for a greater interest and less parsimony in institutionalising information security?

The author is a former CBI Director and is currently Adviser to TCS Ltd.

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Opening a new window

Courting the glare
Check your worth
All work ... and more play
Configuring Outlook Express
For a smooth voice chat
No peeking
Beat back the bugs
Cruising along...
Running at rank 121
Nomadicity isn't the same as mobility

The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription
Group Sites: The Hindu | Business Line | The Sportstar | Frontline | The Hindu eBooks | The Hindu Images | Home |

Copyright 2005, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line