Financial Daily from THE HINDU group of publications
Monday, Nov 28, 2005
eWorld
Features
Stocks
Shipping
Archives
Google

Group Sites

 eWorld - Insight
Info-Tech - Security


A risky ride

Raja Simhan T.E.
Nina Varghese

A ride without protective gear such as the helmet is fraught with risks. Many companies in the old economy sector are riding the IT highway without adequate security safeguards. eWorld tracks the scene.

INDIA may be a leader in Information Technology. But, when it comes to IT implementation in the old economy sector, the scene appears bleak.

Security concerns are looming and have been highlighted by some recently reported cases of data theft.

Sundram Fasteners, auto ancillary major and supplier to General Motors, lost valuable industrial information. TAFE Ltd, a large old economy player, lost important designs. In yet another instance, a technical director of a digital electrical meter manufacturing company was arrested on charges of stealing company software and trying to sell it abroad.

In all the three instances, former company employees were involved and were arrested by Chennai police.

R. Nataraj, Greater Chennai Police Commissioner, says there have been a number of such instances in the last one year. However, it is only now that companies are reporting data theft to the police.

In the case of Sundram Fasteners, the intruder from Visakhapatnam illegally entered the company's computer server from where confidential information was stolen. The company did not change its passwords in the server.

Nataraj says there have been over 100 complaints in the last one year, and a number of them relate to various companies.

Investigating these crimes is challenging for the department, which has set up a cyber crime cell with a senior officer trained to deal with such crimes.

"We hope more companies come forward when something happens. It will create awareness among companies," Nataraj told eWorld.

Most old-economy Indian companies still have legacy systems and are yet to cross the first stage of investing in firewalls and anti-virus solutions.

They are yet to consider authentication and intrusion-detection solutions, says an official with an IT company.

According to estimates, the Indian electronic security market is worth over Rs 350 crore and annually growing at 50 per cent.

The global market, including biometrics, embedded security, cryptography, smart cards and access controls, is estimated to be about $15 billion.

A report on Information Systems Security Survey by the Confederation of Indian Industry and PricewaterhouseCoopers (PwC) says that information security — the assurance of system availability, data confidentiality and integrity — has become a serious concern in today's more open and interconnected business environment.

Web services, peer-to-peer systems and the increasing availability of IT - all intended to make access to information easier - are rapidly creating a number of vulnerabilities. As a result, the need for better security is compelling enterprises to redesign their business process to close this vulnerability gap.

With the right strategic plan and sound management approach, organisations can leverage their investment in information security to improve business processes throughout the extended enterprise, the report says.

Some key trends that emerge from the survey are:

  • Information security gets high priority amongst a majority of companies.

  • Information security breaches continue to rise for the third consecutive year to the present 83 per cent from 80 per cent in 2002-03 and 60 per cent in 2000-01.

  • While viruses continue to be the single largest source of breach (affecting 76 per cent of the respondents) non-virus security incidents have affected an alarming 54 per cent of the respondents, the report says.

  • About 36 per cent of the respondents saw security breaches due to abused user permissions, guessed passwords, poor access controls and human error/unintended configurations.

    "It is a very sensitive issue, and we cannot talk about," says an official of a leading automobile company. This was what officials of a few old economy companies had to say when contacted by eWorld on the security initiatives they had put in place.

    The chief executive of a leading fast moving consumer goods (FMCG) company says, "I must confess that our dependence on IT is relatively less compared to that of IT companies. Being an old economy company, we still use a lot of paper in addition to online communication. Consequently, we have to deal with leakage of information online as well as offline. We are in the process of understanding this whole subject and it will be sometime before we really can say that we have an information security management system."

    This sums up the state of the industry.

    The problem of disgruntled employees joining competitors with vital information — such as strategy, pricing and customer lists — is an old one. But this problem has grown many times over in the past two years.

    According to Manikam Ramaswami, Chairman, Loyal Textiles, two senior-level executives who left the company to join textile start-ups in the South had downloaded customer lists. They were also in touch with some employees of the company who were giving them inside information on quotations and so on.With this information, they put in competitive quotes, often quoting that much lower, he says.

    "We try to be open with staff and share information with them. We tell them they are part of the company. It will be difficult not to share such information," he says.

    M. Suresh, DGM, IT, Hyundai Motor India, also feels that theft of important data and drawings is on the rise with regard to old-economy companies, which still have some of the legacy systems while trying to implement IT.

    Preventing soft copy download, copying of drawing and sending as attachment, can restrict theft, he suggests.

    For instance, the company's drawing server is hosted in Korea. This can be accessed through HMIL intranet only.

    Access authority is given to the persons concerned with password protection. Hard copy issue is controlled through issue process, which is based on end-user request. Security control is handled at the Korea end, he says.

    The National Association of Software and Service Companies (Nasscom) is working with the Government to put in place laws that are sensitive to today's changing environment.

    According to Nasscom, within the IT and ITES (IT-enabled services) industry, the association is striving for higher standards of compliance with laws respecting an individual's right to privacy and security of his data.

    It is also helping law enforcement agencies to equip themselves with knowledge to investigate, and more importantly, to prevent new forms of cyber crimes.

    Nasscom has also embarked on a series of initiatives at multiple levels focussing on security and strengthening the regulatory framework. These include:

  • Engaging with the Ministry of IT to amend the IT Act around the areas of technology neutrality of digital signatures, redefining computer-related offences to encompass new types of cyber crimes, and framing relevant guidelines on data protection.

  • Conducting training programmes for enforcement authorities in India to increase awareness of cyber crime, establish best practices for collecting cyber evidence and conducting cyber forensics.

    In Mumbai, over 400 officers have already been trained and this will be extended to five other cities in India. Nasscom has already recruited a senior police officer of DIG rank to drive this initiative.

  • Engaging with regulators, media, elected officials and think-tanks in the US and the EU to increase awareness about the security and privacy environment in India.

    Some do's

    PRICEWATERHOUSECOOPERS (PwC), in its report on the security scene, suggests some measures companies can adopt to boost information security. They are:

  • Enhance end-user awareness and create a `security-aware culture' by imparting training on security issues. Invest appropriately in security controls to mitigate the risks business faces and/or transfer these risks through insurance.

  • Large businesses should focus on specialised security staffing.

  • Focus on incident management and incident reporting. A security dashboard for senior management is extremely useful.

  • Integrate security into normal business practice, through a clear security policy and staff education. Also ensure compliance and monitoring.

  • Develop a disaster recovery plan, but more importantly, test the plan constantly.

  • Improve/implement patch management procedures in addition to anti-virus updates across the IT assets of the enterprise.

  • Report attack incidents to external agencies to help in the creation of solutions to address reported vulnerabilities.

  • Draw on the right experiences to understand the security threats one's business faces and any legal responsibilities that must be fulfilled.

    Picture by R. Ragu

    raja@thehindu.co.in

    Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

    More Stories on : Insight | Security

    • Stories in this Section
    Read the pattern

    A risky ride
    IT opens productivity valve
    Wrong size? Outsource the right fit!
    Defragmentation process fails
    Effective and free security products
    `SAP has a clear roadmap'
    `Heed the WiMax call'
    In the spotlight
    A vote for status quo
    Quiz
    ICT-isation can help make government processes SMART
    Cartoon
    Capture those moments

    The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription
    Group Sites: The Hindu | Business Line | The Sportstar | Frontline | The Hindu eBooks | The Hindu Images | Home |

    Copyright © 2005, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line