/vnd/media/agency_attachments/bGjnvN2ncYDdhj74yP9p.png)
Intrusion is no longer an American phenomenon. Indian corporates have finally realised this.
Like everywhere in the world, India too is on the way to reap the benefits of the Internet, e-commerce, and intranet/extranet connectivity. This means throwing open the networks to security hazards. The objective being information security (infosec). Most of the users today have realized the importance of protecting information for the benefit of the company. But the issue is that of having infosec policy and business continuity policy. The concern is about how to maximize the opportunities, while minimizing the risks, especially when hackers are on a malady spree, viruses are growing alarmingly, and bugs are multiplying like parasites. The situation compounds further if the security is breached from within. Statistics prove that it is the internal attacks that are a more alarming concern than those from outside. In fact, most of the users equate this to internal insurgency and consider the battle to be getting picayunish.
Preparedness by Indian Cos.
Getting the preparedness statistics of the organizations out here is a closely guarded affair. That is the prime reason why there is no precise estimate on the levels of security breach. Most of the companies are not open to disclose a security lapse as they believe this could hamper the company's image.
Most attacks go unreported because of two reasons. First, the breach is more often internal rather than external. Many of the companies have stated this off the record. Second, companies do not realize that there has been a security intrusion in the first place. Interestingly, most of the companies realize that an attack happened only after months. More often than not, they even fail to assess the level of damage they had to succumb to.
The Indian corporate world may not have deployed strong infosec measures but the realization is beginning. It was not seen as a major cause of worry some time back for two reasons. One, it was seen more as an American phenomenon. This is primarily because Internet has been relatively a very new phenomenon and that private ISPs have been allowed just a year-and-half ago. And as most of them have dial-up facility it is perceived that the intrusion can happen while being online only.
Further, the connectivity infrastructure in India is very poor. Also, the extent of computerization and using data as information for analysis, etc. is hardly seen in India. So data is not perceived as very sensitive to businesses. However, this seems to be changing. Today, IT and Internet are seen as important productivity tools for business growth and expansion. For example, take the case of the manufacturing sector. Here production scheduling, inventory management, etc. are commonly used applications that are getting automated in the network. And an intrusion into the network can jeopardize everything. And with more and more transactions about to happen online, the danger of business loss looms large.
The Indian corporate world has woken up to the reality that data in their networks can be fiddled with. Some of the bold companies have told that they are keeping the HR information like compensation and benefits in the LAN guarded. This is mostly all from within. Competitors are the last in the category to break in.
Howsoever, infosec is still seen as a reactive rather as a proactive step. At least, products like firewall from Checkpoint, Raptor, and Cisco are getting deployed, though firewall within the network does not mean an end to all problems. Other products like intrusion detection, vulnerability assessment tools, anti-virus, and content security tools all need to go into the network.
Various estimates from the vendors of different security products suggest that the spending on network security deployment was to a tune of Rs 15 crore. And it is estimated that HCL Comnet, Microland, and Ramco share about 85 percent of the market in India. This figure of the total investment may not be very huge in comparison with those in the US or elsewhere. But considering the fact that the Internet has sprout only last year in a major way and Internet and e-commerce are being seen as a tool of next level of business adventure, the figure is remarkable. And a conservative estimate suggests that the figure will more than double year after year in the next few years.
It has always been the software houses, which have been traditionally deploying the security measures. In a way, security has been a de facto standard in this segment. But the vertical markets that deployed these measures in a big-way have been the ISPs and banking and financial segments. Some of the private banks like ICICI, HDFC, and GTB have initiated measures because Internet banking is increasingly becoming part of their offerings. More banks are in the pipeline to deploy infosec measures. Similarly the stock exchanges, especially BSE and the NSE, have gone in for security products. ISPs, almost all the national ones, have a security system in place. The other early adopters of network security are those in the e-commerce domain and the government establishments along with the MNCs who deploy the same kind of measures that are used in other places.
Security Dynamics
Network security is about setting up a defence mechanism. It is more than just the security measures provided by most applications like passwords, etc. In the name of security two things are happening today. While on one hand most companies are avoiding connecting their LANs directly to the external environment, on the other some have installed firewalls in the critical servers on their network. "However, all this is not foolproof and sufficient," explains Balakrishnan R, COO, Euclid. "A firewall is only a tool and it needs to be implemented aptly using security policies and procedures."
Infosec is more about a well-formulated policy than technology deployment. It is about allowing universal access. It is about understanding the user's need and what is provided by way of technology. In toto, a security policy is about understanding business operations, applications and usage, and building a framework around this. A crucial step in this regard is to pinpoint the vulnerabilities, understand how susceptible the network is to a security infringement, monitoring of potential risk factors such as VPNs, cable modems, and mobile users, and to have intrusion detection mechanisms in place to respond quickly and effectively. And most importantly, it needs to be seen that the bandwidth is not clogged.
It is not so easy as on one hand domain expertise is needed, and on the other, it is a process involving people from the top to bottom to define a security policy and how to manage it. Formulation of a security policy does not end with mapping; it demands defining a security scheme-password allocation, backing up of data, and so on. This is a cumbersome process and therefore, most companies are sulking. Whatever the specs, it is crucial to develop a security strategy that addresses the network as a single entity. Anything short of a comprehensive solution leaves the network vulnerable. Internet Security Systems (ISS), a leading player in the security arena, professes that the key to creating useful, transparent, and enforceable network security comes from adopting a process that provides broad-based needs input, careful identification of network resources and access requirements and data-driven implementation and management services.
Another important factor along with the security is a business continuity planning. It is the surrogate capability available in the event of a disaster. Business continuity planning seeks to preserve the assets of an organization in the event of a disaster: Its capability to achieve its mission; its operational capability; its reputation and image; its customer base and market share and; its profitability.