Financial Daily from THE HINDU group of publications
Thursday, Oct 14, 2004
Financial Daily from THE HINDU group of publications Thursday, Oct 14, 2004 |
||
|
|
||
|
Opinion
-
Accountancy Columns - Account Speak Information security in the matrix of Mahabharata D. Murali
There are at least two reasons why you should read the report, available for download at www.ey.com. One, it is from an accounting biggie, collating data from more than 1,230 organisations spread over 51 countries; and, two, there is evidence of India bashing, using the report as an excuse.
For the latter, the URL you can check out is www.theinquirer.net/ ?article=18939 carrying an article by Nick Farrell, titled "Corporations too trusting of Indian security: I know, let's blame Mahabharata" dated October 7.
Threats are more lethal
The epic-angle is a bit queer, but before I wage war with Nick, let me see what E&Y says, starting as it does with a quote of Sun Tzu from The Art of War. "Matters have deteriorated," over the last about a decade, says the report, and reasons are two: One, "threats are more lethal", but many organisations are slow to recognise that what they do not know is hurting them and hurting them badly. "Scaremongers" talk about external threats but there is greater damage "from insiders' misconduct, omissions, oversights, or an organisational culture that violates pre-existing policies and procedures". And two, "There is little visible change in how security is practised in many organisations" between 1994 and now. "Too many organisations feel that information security has no value when there is no visible attack." What you see does not exist, therefore!
Outsource outage
Outsourcing never ceases to go away from the front pages of newspapers, be it responsible for Infy beating analyst recommendations, or Kerry holding viewer attention. But 80 per cent failed to conduct a regular assessment of their IT outsourcer's compliance with the host organisation's information security regulatory requirements, notes E&Y. "Seventy per cent failed to conduct a regular assessment of their IT outsourcer's compliance with the host organisation's information security policies." Companies are "far too trusting when it comes to Indian outsourcing," is what Nick infers from the survey, but Terry Thomas, Partner, Risk & Business Solutions Practice, E&Y says that there was no question in the survey asking respondents whether they trusted Indian outsourcing facilities. A case of India paranoia that can make one selective.
Human layer unpeeled
People are your "strongest layer of defence", points out the survey. "No amount of technology can reduce the human dimension." Yet, "management is hesitant to assign priority to human capital but will readily commit to technology purchases, and less than half provide their employees with ongoing training in security and controls." On this, Nick's story notes: "Less than half of the respondents from India provided employees with continuing training in security and control, the report alleged." Terry says, "No, our report does not say that. A question our respondents answered required them to indicate the control environment practices they have deployed in their organisation, on a one-to-five scale, from low to high. Among the practices was one on employees receiving ongoing training in security and control." What was the response? "Taking 3 and above, from the scale, the global tally is 82 per cent, while India's is 78. If you look at only 4 and 5, that is, high and very high, the global number is 39, while India scores 40." It would be wrong to cite a country's numbers without citing the global benchmark, Terry opines. Another line of Nick reads thus: "Indian organisations said they lacked the skilled security staff and had problems with user awareness of security issues, according to E&Y." Terry explains that the question in their survey, on this topic, was to indicate the level at which the availability of skilled staff/retention, and lack of security awareness by users acted as obstacle to effective IS within the organisation, again on a one to five scale. "Availability of skilled staff and retention issues were `high to very high' as obstacles for 35 per cent of respondents in India, which is just the same number worldwide too. Security awareness of users is a major obstacle for 45 per cent of global respondents, while it is so only for 32 per cent of Indian companies." Info layers on humans unpeeled, so to say.
Threat matrix
The enemy could be within, warns the firm, even as it finds that most firms rank `employee misconduct' as "a distant second behind "major virus, Trojan horse or Internet worms," the top threat to organisations. To highlight the human angle, a corollary to Murphy's Law, cited by the report is: "It is impossible to make anything foolproof because fools are so ingenious." The `threat matrix' lists seven other security concerns, in the descending order of perceived criticality: Loss of customer data, distributed denial of service attack, financial fraud, third party accessing info, physical security, poor software quality, and theft of proprietary information.
Measures, countermeasures
Though there is no explicit reporting on insider-perpetrated losses, E&Y's survey quotes estimates of the Association of Certified Fraud Examiners — "that the typical US organisation loses 6 per cent of its annual revenues to fraud. When placed in context with the US Gross Domestic Product for 2003, this amounts to roughly $660 billion in total losses." A different study by E&Y of fraud had stated that one in five employees had "awareness of other individuals stealing from the employer". Which means, the companies' ROI would be far better if these leakages got plugged. Most companies are aware of risks and have `business continuity plan'. But "few have adequately tested it beyond a tabletop exercise," E&Y observes. In practice, most plans "never survive contact with reality." Would you be comfortable to test your fire extinguisher only when a fire breaks out? Organisations are getting flatter, more decentralised, and far-flung, and "having so many characters in the cast, comes at a cost." What cost? "Single events can have profound impacts that cascade from one venue to another," despite the senior management believing that their company is resilient. Why so? Because in the extended enterprise, "the actual functional effectiveness of information security naturally gravitates to the lowest level achieved by anyone in the network." Thus, as a chain's strength is determined by its weakest link, "if one trading partner has a poor identity management programme, another never tests its disaster recovery plan, and a third does not regularly assess its IT outsourcers' compliance with information security policies, one's own security posture cannot logically rise above the lowest point achieved by these other entities." The only option if you don't want to give due care to this issue is to cut yourself out of the network and be isolated.
Political agenda?
How does E&Y look at India as an extended enterprise destination, from a security viewpoint, I ask Terry, and he responds: "India is doing a fairly good job on the security front — as good as any other global company in any part of the world. India fared very well in this survey." That being the case, I wonder if there could be a political agenda in picking up numbers selectively from a Big Four's survey to denigrate a country. Perhaps, that is a risk any matrix of numbers faces.
More Stories on : Accountancy | Security | Account Speak
Article E-Mail :: Comment :: Syndication :: Printer Friendly Page
|
Stories in this Section |
|
The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription Group Sites: The Hindu | Business Line | Sportstar | Frontline | The Hindu eBooks | The Hindu Images | Home |
Copyright © 2004, The
Hindu Business Line. Republication or redissemination of the contents of
this screen are expressly prohibited without the written consent of
The Hindu Business Line
|