The Hindu Business Line : Read forecasts with care

EVERY New Year begins with a wide spectrum of predictions for a range of people. Astrologers dishing out forecasts seldom convey the unpleasant, lest they offend customers. If they still have to say something disagreeable, they are famous for doling out prescriptions to ward off the malefic influence of some planets!

The whole process is somewhat of an annual ritual that can tickle the non-believer, but spur the less rational into remedial action. These were the thoughts that crossed my mind when I recently came across an IBM prognosis for 2006 on the cyber security front.

Organisations are no different from people, and face their own threats and opportunities. According to the IBM crystal ball, what awaits us in 2006 is a mixture of the good and bad.

Yes, large organisations are now undoubtedly more sensitive to data security than before. They have fortified themselves so much that intruders are finding it increasingly difficult to penetrate. The flip side is the established and well-equipped intruder will not give up his fight in the years to come. He may be expected to shift gear from massive global attacks so as to concentrate on specific organisations to unleashsmaller and stealthier operations, with extortion as his main objective.

Nevertheless, as intelligent beings, we need to launch some sustained and meaningful preventive action that would blend the traditional and innovative and avert disasters on the Net.

IBM has a Global Security Intelligence team, as also a Security Operations Centre, which monitors a large number of customer networks. The outcome of their labours is the annual Global Business Security Index Report, a compendium of its monthly assessment, which is a must-read for those in the business of protecting computer systems for companies of any size.

Digesting it, one gets the feeling that hypes about dangers to online security need to be viewed with balance and circumspection.

Some statistics offered by IBM are interesting. Nearly one billion suspicious computer security events were logged in 2005. While this was a formidable number, what was somewhat heartening was that e-mail-borne viruses showed a nearly 3 per cent decline.

The year did not also witness any major global malware outbreak. There was a lone worm, Zotob, that did not exactly set the Thames on fire.

Against this backdrop of encouraging trends, what should be of some concern is that e-mail attacks continue to pose a threat to the average computer user. Last year, there were nearly two or three targeted e-mail attacks per week.

One also saw a rise in phishing. About one in 300 mails attempted this tricky financially motivated crime that is fast becoming a scourge of banking.

Newer and newer botnets that target the Internet and the arrival of malware that is specifically aimed at mobile devices are other threats on the radar screen that cannot be ignored.

Software is inarguably much more secure now than before, presenting diminished opportunities even to the determined cyber criminal. It is, therefore, logical that the latter will turn to other tactics, especially the subversionof the loyalties of the end user. We already know how social engineering poses the biggest challenge to modern offices. The suggestion is that those coming into organisations will have to be vetted with greater care. This is a daunting task because we know how the process of background checks is weak even when you entrust the job to the most tried agencies.

Perhaps more problem-ridden is the exercise of keeping a tab on employees. There are not only legal and ethical issues. The whole task reeks of practical difficulties, as numbers are growing at a bewildering speed.

Compounding the situation is blogging. This is no doubt a welcome addition to the armoury of the supervisor as well as the HR manager in their efforts to strengthen internal communication channels. It is a good means to exchange views on a variety of issues that are germane to an organisation.

It is, however, a double-edged weapon. Unchecked, blogging can lead to leakage of sensitive information, which may be fatal to the cyber security within an organisation. It is quite possible that a cyber criminal will be tempted to resort to this medium to prepare the ground for an attack. At least this is what IBM thinks. The IBM report could raise newer concerns among computer users. What should cheer us up is the increasing sophistication of the predictive mechanism that is now available to us. For instance, there was a lot of apprehension about the worm Kama Sutra that was discovered on January 16. It was expected to cause colossal damage worldwide to Microsoft Word, Excel and PowerPoint documents. Ultimately the fears proved exaggerated, with only about 3,00,000 computers reporting problems. Preventive action on the part of many large corporations possibly accounted for this minimal damage. Monitoring of networks seems, therefore, to have come of age. This is encouraging in a world that is coming under increased pressures from fundamentalism and also terrorism. Many terrorist groups use the Internet either to promote their own ideology or for direct attacks against their detractors.

The only weapon against politically-inspired assaults against cyberspace will be a good monitoring system. It may not prevent an attack. It can at least alert us of an impending attack so that we can minimise the damage. Viewed in this perspective, assessments like those of IBM are worth their weight in gold. Going back to where I began, is IBM doing better than the average astrologer in accurately portraying the dangers that await us? Will it succeed in waking up traditional organisations from their slumber and complacence? We will have to wait and watch the current year's happenings before we can pass judgment on IBM's ability to predict and persuade.

The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.