[ISN] India Inc lags behind in security cover

From: InfoSec News (isnat_private)
Date: Sun Aug 25 2002 - 23:25:25 PDT

  • Next message: InfoSec News: "[ISN] Sneakernet Redux: Walk Your Data"

    http://timesofindia.indiatimes.com/articleshow.asp?art_id=20145261
    
    SUNDAY, AUGUST 25, 2002 
    
    NEW DELHI: India Inc does not seem to have learnt much from the
    September 11 attack on the World Trade Centre. Almost one year after
    the attack, more than three-fourths of Indian companies do not have a
    well documented and tested business continuity management plan to
    recover in case such a disaster strikes.
    
    Even among those highly dependent on IT, 64 per cent do not have a
    corporate wide business continuity plan to address disruption risks,
    according to a study conducted by KPMG.
    
    The US financial companies had shown resilience and were up in no time
    thanks to the security measures they had taken and the lessons learnt
    after the 1993 attack on WTC, but the survey reveals that around 21
    per cent of Indian companies still stored the entire data backups at
    on-site locations only.
    
    "The study points out that the ability of a business to recover from a
    disaster and minimize its losses depends on its state of preparedness
    in dealing with business interruptions and restoring operations",
    according to Nasscom (National Association of Software and Services
    Companies).
    
    "Indian business leaders need to implement a strategy that takes into
    account the entire spectrum of risk, ensuring the continued
    availability, reliability and recoverability of resources. The advise
    to Indian corporates is to avoid getting caught unawares when disaster
    strikes and manage risks so that the organisation is always available
    for customers and other stakeholders," a Nasscom report quoting the
    study said.
    
    However, Neel Ratan, executive director, Global Risk Management
    Solutions, PricewaterhouseCoopers said, "establishing a security
    policy is definitely becoming an important corporate task".
    
    Quoting the CII-PricewaterhouseCoopers IS Security Survey 2002-03, he
    said "74 per cent of the respondents (from a total of 103 large Indian
    and MNCs) have increased their security budgets over the previous
    year. A large proportion (85 per cent) of the organisations plan to
    invest on network protection to manage security."
    
    However, Information Systems Security breaches are also on the rise.  
    As much as 80 per cent of the respondents reported breaches in the
    last 12 months compared to 60 per cent in 2000-01, he said.
    
    Virus infection continues to be the most chronic of all breaches - a
    whopping 75 per cent of the respondents suffered such attacks. Denial
    of service attacks are also on rise in India and exploiting known
    system vulnerability is the most common method of attack.
    
    "There is an increase in the number of breaches, hackers have become
    more creative and better equipped, companies have rated security very
    highly but surprisingly not enough initiatives have been taken to
    ensure a safe working mechanism," the survey pointed out.
    
    Meanwhile, concerned about the growing number of cyber attacks, the
    Society for Electronic Transactions and Security (SETS), a government
    body, has created a network security organisations to develop defences
    against hackers.
    
    It would develop a comprehensive strategy and technologies to address
    information security, including homegrown security products.
    
    A disaster recovery and emergency management center has also been
    proposed by SETS.
    
    "Information has become a key asset for organisations in today's age.  
    Loads of data run in companies' information systems like customer
    data, competitive information, vendor data, product data, historical
    information, etc. This information is provided to customers,
    employees, vendors and other key constituencies, which interact with
    an organisation at all times. This lassiez-faire approach, however,
    can lead to chaos. Hence, information access must be selective and
    authorised and information transfers secure", the CII survey said.
    
    "The security systems have to work at multiple levels: in case there
    is an attack on the website or site-outage; the city is under danger
    or sometimes in case of war, the whole country is at risk," said Atul
    Bhatia, director, NetSys.
    
    "More and more Indian companies are realising the importance of
    keeping the data safe and have off-site backups. Some security
    companies are developing solutions for mission critical applications
    so that business does not suffer for more than a few hours in case of
    an attack," Bhatia added.
    
    Outlining the action points, Ratan said that there was need to create
    security culture by educating staff about risks and their
    responsibilities.
    
    "The importance of human element in Information Systems Security has
    yet to go down well with corporate India. Security is as weak as the
    weakest element in the chain and the humans can be one of the weakest
    links in the chain," the CII report said, noting only 46 per cent of
    the respondents wanted to train staff and a mere 7 per cent wanted to
    hire qualified staff.
    
    "There is need to view information security as a business issue and
    plan for it upfront along with other initiatives and keep technical
    security defences up-to-date in the light of the latest threats,"  
    Ratan said.
    
    He further said that the companies needed to map their security needs
    to their respective businesses by conducting a business-risk analysis.  
    The solution does not always lie in greater expenditure on IT
    security.
    
    But if the Indian companies have to survive they will have to spend on
    security systems, say experts, noting those without a recovery plan
    would be forced out of business in the event of a major IT disaster.
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Aug 26 2002 - 02:09:48 PDT