Forwarded From: Stuart Sabel <stuartsat_private> Hiring hackers to protect systems By P. Vikram Reddy, The Hindu HYDERABAD, Jan. 24. The statement that ``People are hiring hackers to protect themselves from hackers", perhaps reflects best the extent to which IT companies as also other organisations, for whom information is the most valuable asset, are forced to go, to protect their systems. With focus shifting to India, the next question one needs to ask is how strong are the information security systems here. Or for that matter what is the level of awareness of the information security systems? It is against this background that the KPMG Peat Marwick (KPMG), the global professional advisory firm, has decided to launch India's first Information Security Survey (ISS). It is perhaps appropriate that it was launched in Hyderabad, which is attracting a lot of IT activity. With 92,000 people collaborating worldwide, the firm provides consulting, tax and audit services from over 825 locations in 157 countries. It has been conducting Information Security Surveys in the U.S. and the U.K. periodically. India happens to be only the third country where the organisation has taken up such a survey. About 3,100 Indian corporates will be covered by the survey, based a detailed postal questionnaire. Of them 146 are from Andhra Pradesh and 88 from Hyderabad. The ISS is conducted by Information Risk Management (IRM) practice, a specialist within the KPMG. `` Looking at the imminent growth of India on the world technology map, KPMG has targeted it as the next most important location to conduct the survey'', says Mr. Sridar A. Iyengar, CEO. And as Mr. Sanjay Dhawan, Director, says ``With business getting so globalised, risks and procedures and policies do not change from country to country''. The IRM practice has been conducting a biennial ISS of the U.K. and Ireland since 1996, to investigate the state of security. The 1998 U.K. survey has been an eye opener. It shows that electronic commerce represents a major security threat, the year 2000 date format problem and economic and monetary union in Europe are highlighting security issues. Of more concern is the finding that security offences are going undetected, recovery plans remain untested and security policies are inadequate. The single most important business issue in terms of its likely impact on security was considered to be electronic commerce followed by mobile computing. Almost two-thirds of the organisations used Internets. But over three quarters of them had not tested the security of their internet site, and less than half had procedures covering internet use. A third of Internet users had systems which do not provide security violation reporting or did not review it, and half of those using mobile computing did not have procedures covering this. It was found that only half of the organisations carry out formal reporting of security incidents and only half of these take action against offenders. Only a half had an approved computer security policy. What could be the consequences? Inherent risks might result in disruption of business operations and loss of management control. It found users were least aware of the information security. Awareness of a formal disaster recovery/ business continuity plan is still considered low in India. An interesting finding was that ``Security saves money". Organisations were incurrring losses to the tune of two to three times the cost they would have incurred for setting up a secure IT environment at the initial stage. And 20 per cent of respondents said that their risk management programmes enabled them to obtain a discount on cost of insurance. A matter of concern is the response level. A 11 per cent response is considered good. Even in the U.K. where the survey covered 15,000 companies, only 1,000 responded. About 52 per cent were from IT companies, 33 per cent finance and 15 per cent others. ``If companies do not respond and we alert them to their problem (through questionnaire) - our objective would have been met (of creating awareness)", says Mr. Dhawan. What about the post survey scenario? The KPMG has been instrumental in designing IT security, IT risk management, system reviews and IT control environment review. But how many surveyed companies come back for consultancy? ``We do not monitor how many seek consultancy", says Mr. Dhawan, reflecting the veil of secrecy around such information. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:17:29 PDT