India Inc lags behind in security cover

[InfoSec News <isn () c4i org>]

http://timesofindia.indiatimes.com/articleshow.asp?art_id=20145261

SUNDAY, AUGUST 25, 2002 

NEW DELHI: India Inc does not seem to have learnt much from the
September 11 attack on the World Trade Centre. Almost one year after
the attack, more than three-fourths of Indian companies do not have a
well documented and tested business continuity management plan to
recover in case such a disaster strikes.

Even among those highly dependent on IT, 64 per cent do not have a
corporate wide business continuity plan to address disruption risks,
according to a study conducted by KPMG.

The US financial companies had shown resilience and were up in no time
thanks to the security measures they had taken and the lessons learnt
after the 1993 attack on WTC, but the survey reveals that around 21
per cent of Indian companies still stored the entire data backups at
on-site locations only.

"The study points out that the ability of a business to recover from a
disaster and minimize its losses depends on its state of preparedness
in dealing with business interruptions and restoring operations",
according to Nasscom (National Association of Software and Services
Companies).

"Indian business leaders need to implement a strategy that takes into
account the entire spectrum of risk, ensuring the continued
availability, reliability and recoverability of resources. The advise
to Indian corporates is to avoid getting caught unawares when disaster
strikes and manage risks so that the organisation is always available
for customers and other stakeholders," a Nasscom report quoting the
study said.

However, Neel Ratan, executive director, Global Risk Management
Solutions, PricewaterhouseCoopers said, "establishing a security
policy is definitely becoming an important corporate task".

Quoting the CII-PricewaterhouseCoopers IS Security Survey 2002-03, he
said "74 per cent of the respondents (from a total of 103 large Indian
and MNCs) have increased their security budgets over the previous
year. A large proportion (85 per cent) of the organisations plan to
invest on network protection to manage security."

However, Information Systems Security breaches are also on the rise.  
As much as 80 per cent of the respondents reported breaches in the
last 12 months compared to 60 per cent in 2000-01, he said.

Virus infection continues to be the most chronic of all breaches - a
whopping 75 per cent of the respondents suffered such attacks. Denial
of service attacks are also on rise in India and exploiting known
system vulnerability is the most common method of attack.

"There is an increase in the number of breaches, hackers have become
more creative and better equipped, companies have rated security very
highly but surprisingly not enough initiatives have been taken to
ensure a safe working mechanism," the survey pointed out.

Meanwhile, concerned about the growing number of cyber attacks, the
Society for Electronic Transactions and Security (SETS), a government
body, has created a network security organisations to develop defences
against hackers.

It would develop a comprehensive strategy and technologies to address
information security, including homegrown security products.

A disaster recovery and emergency management center has also been
proposed by SETS.

"Information has become a key asset for organisations in today's age.  
Loads of data run in companies' information systems like customer
data, competitive information, vendor data, product data, historical
information, etc. This information is provided to customers,
employees, vendors and other key constituencies, which interact with
an organisation at all times. This lassiez-faire approach, however,
can lead to chaos. Hence, information access must be selective and
authorised and information transfers secure", the CII survey said.

"The security systems have to work at multiple levels: in case there
is an attack on the website or site-outage; the city is under danger
or sometimes in case of war, the whole country is at risk," said Atul
Bhatia, director, NetSys.

"More and more Indian companies are realising the importance of
keeping the data safe and have off-site backups. Some security
companies are developing solutions for mission critical applications
so that business does not suffer for more than a few hours in case of
an attack," Bhatia added.

Outlining the action points, Ratan said that there was need to create
security culture by educating staff about risks and their
responsibilities.

"The importance of human element in Information Systems Security has
yet to go down well with corporate India. Security is as weak as the
weakest element in the chain and the humans can be one of the weakest
links in the chain," the CII report said, noting only 46 per cent of
the respondents wanted to train staff and a mere 7 per cent wanted to
hire qualified staff.

"There is need to view information security as a business issue and
plan for it upfront along with other initiatives and keep technical
security defences up-to-date in the light of the latest threats,"  
Ratan said.

He further said that the companies needed to map their security needs
to their respective businesses by conducting a business-risk analysis.  
The solution does not always lie in greater expenditure on IT
security.

But if the Indian companies have to survive they will have to spend on
security systems, say experts, noting those without a recovery plan
would be forced out of business in the event of a major IT disaster.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.