http://timesofindia.indiatimes.com/articleshow.asp?art_id=20145261 SUNDAY, AUGUST 25, 2002 NEW DELHI: India Inc does not seem to have learnt much from the September 11 attack on the World Trade Centre. Almost one year after the attack, more than three-fourths of Indian companies do not have a well documented and tested business continuity management plan to recover in case such a disaster strikes. Even among those highly dependent on IT, 64 per cent do not have a corporate wide business continuity plan to address disruption risks, according to a study conducted by KPMG. The US financial companies had shown resilience and were up in no time thanks to the security measures they had taken and the lessons learnt after the 1993 attack on WTC, but the survey reveals that around 21 per cent of Indian companies still stored the entire data backups at on-site locations only. "The study points out that the ability of a business to recover from a disaster and minimize its losses depends on its state of preparedness in dealing with business interruptions and restoring operations", according to Nasscom (National Association of Software and Services Companies). "Indian business leaders need to implement a strategy that takes into account the entire spectrum of risk, ensuring the continued availability, reliability and recoverability of resources. The advise to Indian corporates is to avoid getting caught unawares when disaster strikes and manage risks so that the organisation is always available for customers and other stakeholders," a Nasscom report quoting the study said. However, Neel Ratan, executive director, Global Risk Management Solutions, PricewaterhouseCoopers said, "establishing a security policy is definitely becoming an important corporate task". Quoting the CII-PricewaterhouseCoopers IS Security Survey 2002-03, he said "74 per cent of the respondents (from a total of 103 large Indian and MNCs) have increased their security budgets over the previous year. A large proportion (85 per cent) of the organisations plan to invest on network protection to manage security." However, Information Systems Security breaches are also on the rise. As much as 80 per cent of the respondents reported breaches in the last 12 months compared to 60 per cent in 2000-01, he said. Virus infection continues to be the most chronic of all breaches - a whopping 75 per cent of the respondents suffered such attacks. Denial of service attacks are also on rise in India and exploiting known system vulnerability is the most common method of attack. "There is an increase in the number of breaches, hackers have become more creative and better equipped, companies have rated security very highly but surprisingly not enough initiatives have been taken to ensure a safe working mechanism," the survey pointed out. Meanwhile, concerned about the growing number of cyber attacks, the Society for Electronic Transactions and Security (SETS), a government body, has created a network security organisations to develop defences against hackers. It would develop a comprehensive strategy and technologies to address information security, including homegrown security products. A disaster recovery and emergency management center has also been proposed by SETS. "Information has become a key asset for organisations in today's age. Loads of data run in companies' information systems like customer data, competitive information, vendor data, product data, historical information, etc. This information is provided to customers, employees, vendors and other key constituencies, which interact with an organisation at all times. This lassiez-faire approach, however, can lead to chaos. Hence, information access must be selective and authorised and information transfers secure", the CII survey said. "The security systems have to work at multiple levels: in case there is an attack on the website or site-outage; the city is under danger or sometimes in case of war, the whole country is at risk," said Atul Bhatia, director, NetSys. "More and more Indian companies are realising the importance of keeping the data safe and have off-site backups. Some security companies are developing solutions for mission critical applications so that business does not suffer for more than a few hours in case of an attack," Bhatia added. Outlining the action points, Ratan said that there was need to create security culture by educating staff about risks and their responsibilities. "The importance of human element in Information Systems Security has yet to go down well with corporate India. Security is as weak as the weakest element in the chain and the humans can be one of the weakest links in the chain," the CII report said, noting only 46 per cent of the respondents wanted to train staff and a mere 7 per cent wanted to hire qualified staff. "There is need to view information security as a business issue and plan for it upfront along with other initiatives and keep technical security defences up-to-date in the light of the latest threats," Ratan said. He further said that the companies needed to map their security needs to their respective businesses by conducting a business-risk analysis. The solution does not always lie in greater expenditure on IT security. But if the Indian companies have to survive they will have to spend on security systems, say experts, noting those without a recovery plan would be forced out of business in the event of a major IT disaster. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Aug 26 2002 - 02:09:48 PDT