• Investment World
• eWorld
• Brand Line
• Mentor
• Life
• Canvas
• Praxis
• Urban Pulse
• Brand Quest
• The New Manager

Stocks

• Quotes
• SE Diary
• Scoreboard
• Open-End Mutual Fund

Cross Currency

• Rates
  
  

Shipping

• Ports
  
  

Archives

• Yesterday
• Datewise
• Resources
• In Focus
• In Depth

Group Sites

• The Hindu
• The Hindu ePaper
• Business Line
• Business Line ePaper
• Sportstar
• Frontline
• The Hindu eBooks
• The Hindu Images

Vinson Kurian

The challenge is to modify employee behaviour.

Anup Narayanan

Internal data thefts are happening despite IT companies employing the best `technology' in firewalls, encryption and anti-virus. In some cases, the best `processes' (as in ISO 27001 certifications) have been lined up for securing data.

But these need not always work, as made clear in a `sting' job performed in recent times on an Indian BPO, showing the entire industry in poor light.

According to Anup Narayanan, Founder and Senior Consultant of the Bangalore-based First Legion Consulting, organisations must look at mitigating the impact of `human error, human fraud and human incompetence' on business. The challenge is to modify employee behaviour to mitigate threats, make them understand the consequences of bad information security behaviour and reward them for good information security behaviour.

The need of the hour is to put in place an `information security behaviour management' system.

All behaviour is learned through the consequences that follow, Narayanan tells eWorld in a Q&A session. Excerpts:

Is there increasing realisation among the industry that `human error, not system weaknesses,' is the leading cause of serious security violations?

Yes, there is — especially in the wake of recent internal frauds in BPOs. These incidents have revealed that there is a serious gap between writing a security policy and practising it. It is not the policy or security product per se that is important, but the people who manage it and are affected by it

To summarise, your best encryption tool is only as strong as the character of the person who has the encryption/decryption key.

How are individual companies responding to this challenge, especially in the context of the sting that showed Indian BPO business in poor light?

Sadly, the response follows an approach that has not produced good results. Most companies have an information security training programme. They complement this with background checks and by making employees sign non-disclosure agreements.

But these are not effective beyond a certain point since, on the one hand, organisations talk big about trust and motivation and, on the other, make employees follow policies and procedures that demonstrate a lack of trust. This is fraught with the risk of inviting employee de-motivation.

Are companies willing to `create, enforce, and regularly review' their security policy? How do they go about doing it?

The answer is not policy, but common sense. Managers must talk to employees and make them see both sides of the story. An average employee is right in asking the question, "Why do you check my bag and laptop every time I enter the organisation"? The management must provide a response based on the theme - "due care and due diligence". Managers must explain to employees that it is not a question of mistrust, but the organisation merely constantly practising `due care and due diligence' to avoid a potential hit-and-run case from happening.

How do you respond to the oft-repeated need for a `whistleblower' policy in order to raise an alert against likely data theft? Would just routine testing, monitoring, and evaluation of safeguards for minimising identified risks do?

Safety rests with the user - K.K. MUSTAFAH

Whistleblower policies are good and must be mandatory because they show that the organisation has focus on ethics and good corporate governance. Routine testing, monitoring and evaluation are mandatory. But I must also point out a fact here.

Many organisations that have a certified information security management system do routine checks as part of the routine certification audit cycle. They tend to do just enough to pass the certification audit and once the audit and certification is cleared they tend to relax. This attitude devalues routine monitoring and these organisations face maximum threats.

But, I have also seen companies that do routine evaluation based on a self-realised need. They get very good results with routine evaluations and checks.

How do you view Nasscom's setting up an independent Self Regulatory Organisation (SRO) to enforce stricter regulations for data protection in the BPO sector?

Definitely a big step forward. With India's growing prominence as a knowledge hub of the world, the SRO clearly shows how much we value knowledge (intellectual property).

A proposed amendment to the IT Act seeks to put the onus on foreign companies to prove that an Indian counterpart has been involved in data theft. Is this workable at all?

We have to look at the wording of the amendment before commenting on it. My opinion on the IT Act of India is that it is quite mature and it addresses important aspects of cyber crime, though there is much work to be done in the area of privacy.

I really don't see the Government adopting a `holier than thou' attitude, especially in the wake of recent computer security frauds. We should be seeing something mature and reasonable.

Do we need to have a data protection law in place? Do we need to develop a risk assessment model and methodology applicable to information security?

Yes, and the data protection law must come under the larger umbrella of privacy and corporate governance.

Unless we learn to respect individual privacy concerns, we will not be able to build a larger security framework. The UK has done very good work for ensuring privacy at a macro level through the UK Data Protection Act, which aligns well with their CMA (Computer Misuse Act), which in turn was recently amended with more improvements.

But the US has done some excellent work at a micro level through HIPAA (Health Insurance Portability Accountability Act) and GLBA (Gramm Leach Bliley Act) etc.

India would do well to combine the best portions from the respective acts and draft a good data protection framework.

Does the information security function in companies actively engage with other units (like human resources and legal counsel) to develop and enforce compliance with information security policies and practices?

In paper, yes. In reality, not much. The reason is that when you look at the management structure of an organisation, there are individual business functions such as HR, accounts, legal, admin, sales and marketing. Each of these functions has fixed targets and achievement of these targets is used as a metric to measure their performance. But, information security is not treated as a `business function' because organisations do not know how to measure information security. To enable better engagement with other units, information security should become measurable in order for it to be treated as a true `business function', similar to HR or marketing.

A model such as ISM3 (Information Security Management Maturity Model) is useful in this context because it uses metrics to show the true value of information security in achieving business goals, ensuring sustenance and prosperity. When information security becomes measurable and manageable, you shall see more cooperation between business functions and the information security department and the result is that incidents come down or the impact of incidents is tolerable.

vinson@thehindu.co.in

More Stories on : Interview | Security | Human Resources

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Value for your money

Copyright © 2007, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line